Three reasons you shouldn't neglect your application security

With so much emphasis on all forms of security these days, business applications remain one of the most vulnerable and most frequently exploited IT components. Investment in application monitoring should be a part of a comprehensive defense strategy. Keith Brogan of managed security provider Vigilant provides his thoughts on the importance of application security.

Business applications are the gateway to nearly all sensitive information, yet they often are the most vulnerable and the most frequently exploited IT components in the enterprise. Many critical business applications were never designed with security in mind and, in many organizations, the responsibility for application security is a game of hot potato between senior management, developers, application owners, security operations and quality assurance teams.

None of these groups wants to accept responsibility for application security, which creates an ownership vacuum that overlooks critical vulnerabilities and allows basic security processes to fall through the cracks.

[ SURVEY: Half of companies report Web application security problems 

ROUNDUP: 25 essential business apps for iPhone 5 ]

As cybercrime and fraud become more prevalent and costly, application security must become a core concern throughout IT. This includes both improved discipline in secure software development, and investment in application monitoring as a critical component of a comprehensive defense strategy.

I recently spoke with Keith Brogan, director of Professional Services for Vigilant Inc., a managed security service provider. Brogan discusses three reasons why every organization should put greater emphasis on application security.

* Application fraud puts your customers at serious risk. Any organization that hosts an application for its customers is at risk for fraud. The risks are expanding as organizations rush to meet customers' mobile access demands, often sacrificing security and security monitoring in an effort to roll out new applications more quickly. Ironically, these new applications actually are more likely to be designed with built-in security features than their predecessors. The legacy enterprise applications that comprise much of today's computing environment remain extremely vulnerable, having been built on layers of older technology, each with varying degrees of security monitoring. Over the past several years many organizations have learned this lesson the hard way, as hackers have compromised millions of people's sensitive information by exploiting basic system flaws. By improving visibility, application monitoring programs improve the likelihood that malicious activity can be caught quickly.

* Fraud doesn't always look like fraud. Malicious activity isn't just about singular, massive breaches. Often the most effective fraud is perpetrated by false transactions that are obscured among many valid ones. Organizations in the computer reservation and global distribution space are particularly vulnerable to this type of application attack, since transactions are constantly taking place across thousands of locations, making anomalies even more difficult to detect. Monitoring and analytics can help organizations identify the trends and usage patterns that ultimately reveal illicit behavior.

To do this effectively, enterprises should conduct a risk-focused review of their applications, develop a method of prioritizing those applications, and then perform a detailed baseline analysis of the way people and business processes interact with each application. This makes it easier to expose abnormal or abusive activity. The right tools and processes also can help an organization make the distinction between actual fraudulent behavior and suspicious activity, and a robust SIEM solution can help to contextualize and correlate transaction data to ensure that output is consumable and that the system isn't generating a high rate of false-positive events.

* Application security is good business. Enterprises may worry that implementing application security monitoring and analytics is too expensive -- but the cost will be higher for those organizations that don't. Data breaches and financial or intellectual property losses often involve misuse or penetration of a business application, and even if your apps have not yet been comprised or misused, it's a near certainty that they will be eventually. A breach of your business applications can cost millions in lost revenue. It makes more sense to invest now and pragmatically reduce risk than to spend even more recovering from a breach.

In one recent example, a financial institution used application monitoring to correlate information including user names, addresses, IP addresses and transaction types around inbound connections to a critical application. With this insight, the company was able to vastly improve its ability to detect and stop anomalous activity, resulting in its first ever zero-loss quarter. In an era when security professionals are looking for a way to justify security expenses, application monitoring systems can pay for themselves many times over.

Enterprises need a real, quantifiable picture of the risk they face on an ongoing basis. They can no longer afford to assume that their applications are secure, or that someone else on their team is responsible for ensuring that they are. It's time to take our heads out of the sand and put some real resources behind not only the discipline of secure software development, but the ongoing monitoring of the security of critical business applications.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2013 IDG Communications, Inc.

Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.