Welcome!

Related Topics: Cloud Security, Java IoT, Microservices Expo, Linux Containers, Open Source Cloud, Containers Expo Blog

Cloud Security: Article

Test All Apps to Keep Hackers from Penetrating Castle Walls

Four major challenges when protecting apps and how to solve them

Despite all the news about hackers infiltrating major corporations, most businesses continue to leave themselves woefully unprotected. Some surveys estimate more than 70% of businesses perform vulnerability tests on less than 10% of their cloud, mobile and web applications. A majority also confess they have been hacked at least once in the last two years.

While most large businesses have begun application vulnerability testing, there is still a long way to go. After all, you are only as strong as your weakest link; hackers will undoubtedly find and attack any application without sufficient defenses.

Although testing and creating protection for high-value and mission-critical applications is better than not doing anything at all, leaving low-priority applications unprotected is still a major risk. If hackers can exploit just one application, that means they can then access the rest of your infrastructure. They'll eventually figure out a way to also attack your high-value applications.

Major Challenges When Protecting Applications
W
hy in spite of all the risks are organizations not identifying all the vulnerabilities in their cloud, mobile and web applications? Security professionals typically point to several reasons that hold them back:

  • Limited Budget: Businesses simply don't allocate enough money to test all applications. Whether additional headcount or technology is required, testing costs money, and most organizations do not set aside sufficient funds.
  • Lack of Expertise: Application security is still not a mature science. Even companies with the budget to hire expertise find it difficult to recruit security experts who really understand application security.
  • Compliance Focus: Most organizations are driven first by compliance requirements rather than security. So the focus is only on applications that help achieve compliance while other applications are ignored. Applications assessed for security are tested in many cases only to get a checkbox for compliance - not necessarily for sufficient security.
  • External Focus Only: One misconception when it comes to application security is that companies shouldn't worry about testing internal applications with no external interface. But think of insider threats. What if you have an internal human resources application with access to confidential employee information? If a less-than-ethical employee exploits a privilege, they can gain access to sensitive records, and your company becomes non-compliant with various standards.

Recommendations for Protecting Your Business
Despite these challenges, there are practical ways to protect your business. Here are a few recommendations to identify application vulnerabilities:

  • Respect the Impact of Hacking: According to research by Forrester and the Ponemon Institute, the average cost per record in the case of a breach is at least $300. Most companies have thousands of records. And more than 75% of attacks occur through web applications.
  • Outsource: You don't have to do everything yourself. Consider a managed service or a cloud service to help you secure your cloud, mobile and web applications quickly and affordably.
  • Create a Process: You can cut your costs by creating a pyramid according to the value of all your apps. First identify and then test all your applications. Based on what you find, you can prioritize applications that need deeper penetration testing. This way, you'll cover all your applications without spending a fortune and taking too long. Automated solutions and a good process can help you get there quickly.
  • Manage Your Risk: You will find hundreds of vulnerabilities within your applications, but you won't have time to fix them all. Take a risk management approach and prioritize these vulnerabilities based on a quantitative score. The ones with the highest score (i.e., most likely to be exploited) are the most sensitive and should be addressed right away. All others should be blocked with a web application firewall or other methodologies.

Raise Your Castle Walls to Thwart Attacks
Any breach can have a severely adverse impact on your bottom line. Cloud, mobile and web application vulnerabilities are low-hanging fruit for hackers - they would rather pick these than go after the hard stuff.

Hacking, unfortunately for the rest of us, has become a lucrative profession, and intruders will continue to attack to earn their living. Whether their motive is financial gain, espionage, hacktivism or perhaps something even more pernicious, hackers will continue to fire shots until they penetrate.

Although you can't fire back at the enemy and can't be 100% secure, you can certainly raise the walls of your castle. This puts you in a much better position to thwart their attempts.

More Stories By Michelle Drolet

Michelle Drolet is founder of Towerwall, a data security services provider in Framingham, MA with clients such as PerkinElmer, Smith & Wesson, Middlesex Savings Bank, Brown University and SMBs. You may reach her at [email protected]

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Latest Stories
Today most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes significant work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reducti...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
Real IoT production deployments running at scale are collecting sensor data from hundreds / thousands / millions of devices. The goal is to take business-critical actions on the real-time data and find insights from stored datasets. In his session at @ThingsExpo, John Walicki, Watson IoT Developer Advocate at IBM Cloud, will provide a fast-paced developer journey that follows the IoT sensor data from generation, to edge gateway, to edge analytics, to encryption, to the IBM Bluemix cloud, to Wa...
With the rise of DevOps, containers are at the brink of becoming a pervasive technology in Enterprise IT to accelerate application delivery for the business. When it comes to adopting containers in the enterprise, security is the highest adoption barrier. Is your organization ready to address the security risks with containers for your DevOps environment? In his session at @DevOpsSummit at 21st Cloud Expo, Chris Van Tuin, Chief Technologist, NA West at Red Hat, will discuss: The top security r...
SYS-CON Events announced today that Fusic will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Fusic Co. provides mocks as virtual IoT devices. You can customize mocks, and get any amount of data at any time in your test. For more information, visit https://fusic.co.jp/english/.
The “Digital Era” is forcing us to engage with new methods to build, operate and maintain applications. This transformation also implies an evolution to more and more intelligent applications to better engage with the customers, while creating significant market differentiators. In both cases, the cloud has become a key enabler to embrace this digital revolution. So, moving to the cloud is no longer the question; the new questions are HOW and WHEN. To make this equation even more complex, most ...
"NetApp's vision is how we help organizations manage data - delivering the right data in the right place, in the right time, to the people who need it, and doing it agnostic to what the platform is," explained Josh Atwell, Developer Advocate for NetApp, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
IBM helps FinTechs and financial services companies build and monetize cognitive-enabled financial services apps quickly and at scale. Hosted on IBM Bluemix, IBM’s platform builds in customer insights, regulatory compliance analytics and security to help reduce development time and testing. In his session at 21st Cloud Expo, Lennart Frantzell, a Developer Advocate with IBM, will discuss how these tools simplify the time-consuming tasks of selection, mapping and data integration, allowing devel...
Today traditional IT approaches leverage well-architected compute/networking domains to control what applications can access what data, and how. DevOps includes rapid application development/deployment leveraging concepts like containerization, third-party sourced applications and databases. Such applications need access to production data for its test and iteration cycles. Data Security? That sounds like a roadblock to DevOps vs. protecting the crown jewels to those in IT.
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists examined how DevOps helps to meet the de...
SYS-CON Events announced today that B2Cloud will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. B2Cloud specializes in IoT devices for preventive and predictive maintenance in any kind of equipment retrieving data like Energy consumption, working time, temperature, humidity, pressure, etc.
Cloud Expo, Inc. has announced today that Andi Mann and Aruna Ravichandran have been named Co-Chairs of @DevOpsSummit at Cloud Expo Silicon Valley which will take place Oct. 31-Nov. 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. "DevOps is at the intersection of technology and business-optimizing tools, organizations and processes to bring measurable improvements in productivity and profitability," said Aruna Ravichandran, vice president, DevOps product and solutions marketing...
Many organizations adopt DevOps to reduce cycle times and deliver software faster; some take on DevOps to drive higher quality and better end-user experience; others look to DevOps for a clearer line-of-sight to customers to drive better business impacts. In truth, these three foundations go together. In this power panel at @DevOpsSummit 21st Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, industry experts will discuss how leading organizations build application success from all...
SYS-CON Events announced today that NetApp has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. NetApp is the data authority for hybrid cloud. NetApp provides a full range of hybrid cloud data services that simplify management of applications and data across cloud and on-premises environments to accelerate digital transformation. Together with their partners, NetApp em...
Elon Musk is among the notable industry figures who worries about the power of AI to destroy rather than help society. Mark Zuckerberg, on the other hand, embraces all that is going on. AI is most powerful when deployed across the vast networks being built for Internets of Things in the manufacturing, transportation and logistics, retail, healthcare, government and other sectors. Is AI transforming IoT for the good or the bad? Do we need to worry about its potential destructive power? Or will we...