Today’s enterprises are using applications for just about everything, from project management to accounting and even customer relationship management (CRM). With applications being used for so many core business functions, a single application vulnerability can leave the door open for a devastating security breach. Here are four compelling reasons your company should conduct application security assessments as a rule.
There’s an exponential increase in vulnerabilities in web applications. Veracode’sState of Software Security Report (Volume 5), issued in April 2013, shows that 70 percent of web applications fail to comply with security policies on first submission—a 10 percent increase from the previous year. This statistic alone signifies the importance of evaluating each and every application against your enterprise’s protocols. Most application developers take steps to reduce vulnerabilities in their applications prior to deployment, but with security policies varying across organizations it’s difficult to create across-the-board compliance.
As of September 2012, another survey showed that more than half of companies responding (51 percent) had experienced at least one web application security breach within the previous 18-month period. Even back in 2009, the Gartner Group estimated that “75 percent of security breaches happen at the application layer”—a statistic that’s been widely cited. Gartner further estimates that more than 70 percent of all vulnerabilities exist at the application layer—not the network layer.
Enterprises who take application security into their own hands ensure the safety of the new security perimeter, which now lies at the application level instead of the firewalls and VPNs of a few years ago. IDC estimates that by the year 2015, 24 percent of new business software purchases will be service-enabled software. That means more and more applications will run in the cloud, posing an increasingly complex set of challenges for corporate IT. Without adequate testing and accountability, a single username and password breach could create a path to an enterprise’s entire data infrastructure.
For attackers, web applications are both easy and worthy targets. Common flaws such as SQL injection, cross-site scripting, poor input validation and broken authentication conditions make it possible for attackers to easily infiltrate these applications. Upon gaining access, hackers can disrupt application availability, hinder service delivery and destroy or steal sensitive and private information like credit card data.
Not only are application attacks growing more prevalent, they’re also costly. SQL injection alone comprises about 32 percent of attacks on web applications. But a single SQL injection breach can result in the exposure of millions of email addresses and personal data. That issue is compounded by the fact that it’s becoming easier than ever for amateur hackers to successfully implement these attacks, thanks to dozens of tutorials outlining the step-by-step process all over the web. And unfortunately, some amateur hackers have little motivation for doing so other than proving their own skills—meaning virtually every enterprise is vulnerable to a random SQL injection attack.
SQL injection and other web application attacks aren’t cheap, either. With the exposure of millions of customer email addresses, potentially credit card and other payment information, enterprises stand to lose millions of dollars with a single breach. The cost of these incidents ranges from $90 to $305 per compromised record depending on the nature of the security breach and the company hacked. These costs include system cleanup and forensic analysis, regulatory and legal costs, consumer breach notification and credit monitoring services.
When considering those expenses, it’s no surprise that the total expense of a single breach can range from several million dollars and even well into the billions.In 2005, ChoicePoint lost data for 145,000 customers and ended up spending $11.4 million in related costs, including $2 million to notify victims of the incident and $9.4 million in legal and professional fees.
These web application flaws also place organizations at significant risk for non-compliance with government and industry regulations. These include the Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI DSS). Compliance issues lead to further costs, such as fines, and even a loss of government contracts in some cases—which can be a hard hit to the bottom line. Healthcare corporations suffering a patient data breach, for instance, can be fined for failing to adequately protect patients’ personal healthcare data.
Reputation and brand image are highly vulnerable to negative events including a data breach. The financial costs of a data breach outlined above only consider cold, hard cash—it’s hard to place a value on a damaged brand reputation. But a loss of information can lead to customer distrust, undermining your enterprise’s reputation and tarnishing the corporate image.
A study from the Ponemon Instituteattempts to quantify such damages and reveals how valuable these assets are to an organization. The average value of brand and reputation for the study’s participating organizations was determined to be approximately $1.5 billion. Depending upon the type of information lost as a result of the breach, the average value of the brand ranged from $184 million to more than $330 million, representing a decline in value between 17 and 31 percent.
With the number of application security breaches on the rise, prevalent vulnerabilities and the cost of a single breach skyrocketing, enterprises employing application security assessment practices are playing it smart. The cost of a precautionary measure is well worth preventing a security disaster that, in many cases, could easily bankrupt your corporation.