top 5 reasons why you need an appsec program
TRANSCRIPT
fiveTOP 5 REASONS
Veracode Gbook
Why You Need an AppSec Program
Introduction
TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 2
Hardly a day goes by without a news story about a major data breach. And most of these breaches stem from vulnerabilities in applications. Yet, most companies are not investing in application security.
A variety of misconceptions lead to the lag in appsec adoption, but the reality is: you need an appsec program.
THE FOLLOWING ARE THE TOP 5 REASONS WHY…
BREACH
BREACH
Software is critical to your business.
Most apps are hackable.
Apps are the top attack vector.
You’re not immune if you don’t develop your own software.
If you get breached, you will pay.
3
TOP 5 REASONSwhy you need an appsec program
TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM
1
2
3
4
5
1You’re a software company, whether you know it or not.
The world now runs on applications. Every company
uses applications to make business decisions, and
to interact with business partners. Even GE now
considers itself a software company.
With this increased reliance on software, application
quality now impacts your bottom line.
On our current trajectory, GE is on track to be a top 10 software company.JEFFREY R. IMMELT, CEO, GENERAL ELECTRIC
Software is critical to your business.
TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 4
REASON #1
2Veracode’s State of Software Security Report revealed that
about 70 percent of all applications had at least one vulnerability
classified as one of the top 10 web vulnerability types.
Most apps are hackable.
REASON #2
TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 5
In fact, Web and mobile applications account for more than a third of data breaches.
Attacks at the application layer are growing by more than 25% annually.
Apps are the top attack vector.
REASON #3
TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 6
3From Q1 to Q2 2015, there
was a 17.65 percent increase
in DDoS attacks targeting
the application layer.
AKAMAI’S Q2 2015 “STATE OF THE INTERNET SECURITY REPORT”
WEB + MO
BIL
E33%
2014 Verizon Data Breach Investigations Report
Q3 2015 State of the Internet Security Report, Akamai, Dec. 8, 2015
2013 20152012 2014
39% Of the costs associated with
information loss due to business disruption, including lost employee productivity and outright failures.
Q3 2015 State of the Internet Security Report, Akamai, Dec. 8, 2015
$7.7MILLION per company is the average annual loss worldwide due
to cybercrime.
2015 Ponemon Institute Cost of Cyber Crime Study: Global
TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 7
A typical $500 million-plus enterprise has developed more than 3,079 applications.
According to “2014 State of the CIO,” CIO Magazine
= =
Enterprises have spent billions of dollars securing the network, perimeter and hardware at their organizations, but have yet to invest sufficiently in securing their applications.
At the same time, these enterprises are building, buying and downloading applications at a breakneck pace and in record numbers.
TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 8
Why are apps the top attack vector?Because hackers know we’re sloppy about securing them.
79%
28%
Of enterprise applications are never assessed for vulnerabilities
According to IDC
Of developers either have no process or an ineffective ad hoc process for building security into applications
According to Ponemon
Of organizations don’t even know how many applications they have
According to SANS
63%
TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 9
4REASON #4
Cyberattackers are looking for the path of least resistance
into your organization, and that path is increasingly through
less-critical and third-party applications.
You’re not immune if you don’t develop your own software.
65 percent of a typical enterprise application portfolio comes from third parties, yet 90 percent of third-party code does not comply with enterprise security standards such as the OWASP Top 10.
ACCORDING TO QUOCIRCA AND VERACODE’S REPORT, STATE OF SOFTWARE SECURITY, ENTERPRISE TESTING OF SOFTWARE SUPPLY CHAIN
TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 10
A scary example…
Your application security program should include third-party software, and hold it to the same security standards as internally
developed software.
JPMorgan Chase was breached through a third-party app promoting its charitable road race. The breach led to records stolen from:
76 MILLION HOUSEHOLDS
MILLION
7 MILLION BUSINESSES
MILLION
11
You’re not off the hook if you don’t develop your software from scratch either.
Remember Heartbleed?
That headache stemmed from a vulnerability in OpenSSL, a common component used in applications to
encrypt data in transport.
4 MILLION
PATIENT RECORDS
thanks to a breach due to the Heartbleed vulnerability.
Community Health lost more than
Things to consider:
1. Components make development easier… and riskier.
2. Your organization doesn’t own the code and can’t update it if a vulnerability is found.
3. You need an application security program that tracks the use of components and outlines acceptable ways to use them.
TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM
5TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM
REASON #5
If you get breached, you will pay.
12
The Verizon 2015 Data Breach Investigations Report found that data breaches cost businesses around the world $400 million. Don’t underestimate the cost of a breach.
LOST REVENUEThis might result from stolen corporate data, lowered sales volumes (if consumers get scared) or falling stock prices.
MONEY SPENT ON INVESTIGATION AND CLEANUPA recent joint Veracode/Centre for Economics and Business Research (Cebr) report found that cyberattacks cost UK firms £34 billion in revenue losses and subsequent increased IT spending.
CO
ST
OF
A B
RE
AC
H
TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM
You’ll also feel the cost of a breach in…
13
COST OF DOWNTIME
A recent Information Age article estimated that every
hour of downtime costs businesses $100,000.
BRAND DAMAGE
The long-term reputation damage associated with security breaches can be substantial and lead to intangible
costs or loss of business.
LOVE TO LEARN ABOUT APPLICATION
SECURITY?
Get all the latest news, tips
and articles delivered right
to your inbox
Subscribe Here
The end goal for any organization should be a mature, robust application security program that:
• Assesses every application, whether built in-house, purchased or compiled
• Enables developers to find and fix vulnerabilities while they are coding
• Takes advantage of automation and cloud-based services to more easily incorporate security into the development
process and scale the program
AppSec Critical
TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 14