Latin America. Preston Hogue, Director of Security Marketing at F5 Networks, shares his special insight into how risk-based application security delivers the best protection for your data and your business.
We have left behind the original concept of application security. In the late 1990s, most applications were not used on the Internet, so security was focused on the software development cycle and ensuring that developers adhered to secure coding best practices.
Secure code is still an important part of application security, but it's not everything. We need to look at the issue from a much broader perspective. As I see it, we must employ a risk-based approach and analyze all the components that constitute an application, and then develop a strategy that provides the greatest security to the application as a whole. Because when a component of an application is compromised (whether it's a code vulnerability, network availability, SSL, or DNS) the entire application, as well as the data it hosts, is affected.)
For example, think about availability. Today, applications are Internet-based, so a volumetric DDoS attack can render an application useless, or even disabling. Now, that has nothing to do with secure code, but it's vitally important to the overall health of your app because no one can access it.
Or what happens if you have a password intercepted? Confidentiality has nothing to do with secure code either. But your application is still compromised and your data may be exposed. That is why we need to apply the basic principles of confidentiality, integrity and availability to all components of an application, identify weaknesses where they arise and correct them.
Visualizing application security from a risk-based perspective allows you to focus on component failures and helps you provide the most robust security for the data that is the primary target of most attacks.
Data theft has become so common today because attackers have a convenient way to access it. Using a risk-based approach allows you to focus on what's most important to your business, whether it's preventing someone from messing up your website or providing protection against data breaches. This risk-based approach reinforces your global stance around security while ensuring you get the most value from the money you invest.
Here's the thing: 72% of all attacks happen at the application level, but companies invest as little as 10% of their security budget in application security. That doesn't make any sense.
With the exponential growth of the Internet of Things and the applications that accompany it, this problem is becoming increasingly complex. In 2010 there were 200 million Web applications; today it is 1,000 million. By 2020, it could easily be $5 billion. All these applications are vectors of vulnerability. Just think of the Barbie with Wi-Fi connectivity or a smart refrigerator and multiply that by 1,000 or by 10,000.
That's why it's time to broaden our perspective on application security so that we're in a better position to effectively protect all the components that make up our applications, safeguard our data, and protect our businesses.
