Anyone who has ever spent a long day at the office cleaning up after a security threat has probably wanted to curse out whoever made the vulnerable app. But a new study says that application isn’t always to blame – often, IT is.
The annual HP Cyber Security Risk Report covered a lot of ground this year. But one of the biggest takeaways from the report was its breakdown of application vulnerabilities.
The report found 80.4% of applications tested had at least one security flaw related to the environment.
In other words, these apps weren’t necessarily flawed at the coding level, they were vulnerable because of:
- server misconfiguration
- improper file settings
- outdated software versions, or
- other issues related to insecure deployment.
It gets worse
So that was the No. 1 cause of application flaws. What was No. 2?
Well, it doesn’t get any better for IT: 72% of apps had flaws related to security implementation, such as:
- access controls
- confidentiality, and
- privilege management.
So even if applications are installed correctly in your environment, there are still serious doubts as to whether they’re implemented securely.
Patches aren’t enough
This flies in the face of a lot of the messages IT has taken to heart. The old way of thinking was if you installed an app and kept it updated regularly, you were in the clear. The security would be taken care of.
And in fact, those patches seem to be getting better: A recent report on web application security by High-Tech Bridge found that critical security updates were released an average of 11 days after discovery in 2013. That’s down from 17 days in 2012, a 35% improvement.
Those quick patches are the trend across all kinds of applications.
But if the fault lies with the installation of these apps, you’re not going to be getting much out of frequent or quick updates.
What to do
So how can IT make sure applications are secure?
Here are some areas to focus your efforts:
- Consult with vendors. There could be a lot more resources available to you than you think when you purchase an app. Most IT departments make the buy then go about implementation on their own. Instead, consult with the vendor. See if they offer assistance with set-up or verification that the app has been installed correctly.
- Audit for the environment. Check regularly to be sure that software and apps are configured correctly. Double check after each update to your systems or applications. Catching these misconfigurations can ensure that apps are safe both from the developer’s end and IT’s.
- Encourage good processes. The installation and configuration of apps should be outlined in processes your people know like the back of their hands. Discourage shortcuts, and make sure processes are followed to the letter every time.
- Continue good patch management. Even if a majority of vulnerabilities are from a configuration end, that doesn’t mean patches aren’t important. Continue to exercise good patch management and make sure you’re working from the most updated, secure version of an app. Also, keep an eye out for end-of-life cycles.