Business Justification for Application Security Assessment
Today's enterprise and the end users have increasingly become dependent on IT applications. IT Applications (most of them are web based) allow customers/users to directly access personal and confidential information, encouraging self-driven model, decreasing business cost. Critical business functions are dependent successful functioning of the IT applications e.g. enterprise such as eBay, Amazon.com has most of their business dependent on their Internet facing flagship applications.
There is exponential increase in vulnerabilities found in Web Applications putting significant financial impact to the enterprise and privacy of the end users. Gartner's recent studies shows that hackers are moving towards web application based attacks, 75% of total attacks now occur on Web applications. Systems and network administrators in last 5-10 years (end 1990s to early 00s) have achieved significant maturity on controlling OS and network level attacks. Strong OS hardening/patching procedures coupled with well managed firewalls provides sufficient surety to the business that these layers are secure and not easy to penetrate.
This is yet not true for applications, especially web applications. Web applications provide a logical tunnel from outside/Internet to the backend databases inside the enterprise. Web applications are complex piece of code with a mix of customized business logic, third party libraries, back-end database routines and integration to multiple other applications. Complexity increases potential points of failures. A recent study by penetration testers  shows that more than 95% of web applications have some sort of vulnerability.
What pressures business is coming under?
Compliance and Regulatory Needs
Sarbanes-Oxley for financial accounting, HIPAA for safe handling of medical records, Gramm-Leach-Bliley for privacy of customer and PCI to safely process and handle credit card information. List is endless. Achieving compliance to regulations imposed by government and industry is one of the top priorities for business. Compliance entails having strong security controls in your IT applications and associated processes. Security assessment helps to check compliances and in some case required.
Cost of security breaches
Cost of security breaches is increasing. It is not only loosing the customer confidence but enterprise may end up paying heavy penalties. Payment Card Industry (PCI) recently announced $50,000 fine per incident if cardholder data is compromised. ChoicePoint, lost information of 145,000 customers in 2005 and ended up spending $11.4 million in related cost.
Awareness of users
Users have become much more aware and attentive towards the privacy, confidentiality and safekeeping of their personal information. Media has helped to create awareness. Comments like ".. I refused to enter my credit card information as I don't see the padlock [SSL] at bottom of my browser window..." are common.
What is there to loose
Ultimate question for business may be what is there to loose.
- Data, which may be the biggest asset in the enterprise
- Public Image and Confidence of Customers
- Availability of applications causing unplanned blackouts for business
We have talked about what are potential business impacts due to insecure applications. Application Security Assessment helps to figure out what are the weaknesses and potential issues in our web application. Helps business spend the security dollars where it is most required. And way to consistently keep our applications one notch higher than the attackers.
. Gartner, Nov 2005 <http://gartner.com>
. Studies from numerous penetration tests by Imperva <http://www.imperva.com/application_defense_center/papers/how_safe_is_it.html>