- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
CIO - CEOs and the technologists who work for them like to say the applications they rely on-- especially the kind custom-written by specialists at banks and investment companies with fortunes behind them--are safe as houses.
And they are, if you're talking about houses in Louisiana when the Gulf starts lashing hurricanes and tarballs.
Almost 60 percent of all the applications brought to security testing and risk-analysis company Veracode during the past 18 months couldn't meet the minimum standards for acceptable security, even when the criteria were dialed down to accommodate applications that don't pose a great security risk, according to Samskriti King, vice president of product marketing at the company. Web-based apps carry their own special set of risks.
"There are far more people on Web projects because they're often easier to develop; many components are already available so you can stand up Web applications very easily," King says. "Developer education usually focuses on applications generated and used in one place, but Web applications could touch many places, so a vulnerability in one component could manifest in many places if it's reused."
Unfortunately, developers trained with software that's generated and used in one location with a single set of servers often don't understand the precautions needed for Web applications that take code, data, and elements of the interface from many servers, she says.
[ For more background on securing Web-based apps, see 5 Problems with SaaS Security. ]
The typical number of security flaws, especially in legacy or other homegrown software, must be taken into account by cloud-computer service providers, says Thomas Kilbin, CEO of cloud and hosted-server provider Virtacore Systems. After all, he says, customers who want on-demand compute capacity don't want to rewrite all their applications just to run in an environment designed to save money and add convenience.
"Our customers are taking apps they had running in their back office and moving them to private clouds for the most part," Kilbin says. "They are not developing any apps geared towards only working in a cloud IaaS/SaaS model. We secure these apps via a number of methods, traditional firewalls, app specific firewalls from Zeus, etc."
Keeping Web-based apps secure can be particularly tough for smaller IT teams.
"The cloud model is more threat-rich than the shared hosting model, mainly because in shared hosting the core OS and apps--php, perl, mysql--are kept updated by the service provider," Kilbin says. "In the cloud, the customer has to keep the core OS updated, along with the application stacks, in addition to their code."
Most customers don't have the expertise or the time to do so, Kilbin says.
Some 2,922 applications were examined by Veracode in the past 18 months, with the results detailed in the company's recently released State of Software Security Report: The Intractable Problem of Insecure Software.
Some of the applications sent to Veracode for testing come from ISVs or corporate programmers in the last stages of development. Another big chunk comes from developers who have to present certifications or risk analyses before closing a deal with government agencies or heavily regulated industries.