14
five TOP 5 REASONS Veracode Gbook Why You Need an AppSec Program

Top 5 Reasons Why You Need an AppSec Program

Embed Size (px)

Citation preview

Page 1: Top 5 Reasons Why You Need an AppSec Program

fiveTOP 5 REASONS

Veracode Gbook

Why You Need an AppSec Program

Page 2: Top 5 Reasons Why You Need an AppSec Program

Introduction

TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 2

Hardly a day goes by without a news story about a major data breach. And most of these breaches stem from vulnerabilities in applications. Yet, most companies are not investing in application security.

A variety of misconceptions lead to the lag in appsec adoption, but the reality is: you need an appsec program.

THE FOLLOWING ARE THE TOP 5 REASONS WHY…

BREACH

BREACH

Page 3: Top 5 Reasons Why You Need an AppSec Program

Software is critical to your business.

Most apps are hackable.

Apps are the top attack vector.

You’re not immune if you don’t develop your own software.

If you get breached, you will pay.

3

TOP 5 REASONSwhy you need an appsec program

TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM

1

2

3

4

5

Page 4: Top 5 Reasons Why You Need an AppSec Program

1You’re a software company, whether you know it or not.

The world now runs on applications. Every company

uses applications to make business decisions, and

to interact with business partners. Even GE now

considers itself a software company.

With this increased reliance on software, application

quality now impacts your bottom line.

On our current trajectory, GE is on track to be a top 10 software company.JEFFREY R. IMMELT, CEO, GENERAL ELECTRIC

Software is critical to your business.

TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 4

REASON #1

Page 5: Top 5 Reasons Why You Need an AppSec Program

2Veracode’s State of Software Security Report revealed that

about 70 percent of all applications had at least one vulnerability

classified as one of the top 10 web vulnerability types.

Most apps are hackable.

REASON #2

TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 5

Page 6: Top 5 Reasons Why You Need an AppSec Program

In fact, Web and mobile applications account for more than a third of data breaches.

Attacks at the application layer are growing by more than 25% annually.

Apps are the top attack vector.

REASON #3

TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 6

3From Q1 to Q2 2015, there

was a 17.65 percent increase

in DDoS attacks targeting

the application layer.

AKAMAI’S Q2 2015 “STATE OF THE INTERNET SECURITY REPORT”

WEB + MO

BIL

E33%

2014 Verizon Data Breach Investigations Report

Q3 2015 State of the Internet Security Report, Akamai, Dec. 8, 2015

2013 20152012 2014

Page 7: Top 5 Reasons Why You Need an AppSec Program

39% Of the costs associated with

information loss due to business disruption, including lost employee productivity and outright failures.

Q3 2015 State of the Internet Security Report, Akamai, Dec. 8, 2015

$7.7MILLION per company is the average annual loss worldwide due

to cybercrime.

2015 Ponemon Institute Cost of Cyber Crime Study: Global

TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 7

A typical $500 million-plus enterprise has developed more than 3,079 applications.

According to “2014 State of the CIO,” CIO Magazine

= =

Page 8: Top 5 Reasons Why You Need an AppSec Program

Enterprises have spent billions of dollars securing the network, perimeter and hardware at their organizations, but have yet to invest sufficiently in securing their applications.

At the same time, these enterprises are building, buying and downloading applications at a breakneck pace and in record numbers.

TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 8

Why are apps the top attack vector?Because hackers know we’re sloppy about securing them.

79%

28%

Of enterprise applications are never assessed for vulnerabilities

According to IDC

Of developers either have no process or an ineffective ad hoc process for building security into applications

According to Ponemon

Of organizations don’t even know how many applications they have

According to SANS

63%

Page 9: Top 5 Reasons Why You Need an AppSec Program

TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 9

4REASON #4

Cyberattackers are looking for the path of least resistance

into your organization, and that path is increasingly through

less-critical and third-party applications.

You’re not immune if you don’t develop your own software.

65 percent of a typical enterprise application portfolio comes from third parties, yet 90 percent of third-party code does not comply with enterprise security standards such as the OWASP Top 10.

ACCORDING TO QUOCIRCA AND VERACODE’S REPORT, STATE OF SOFTWARE SECURITY, ENTERPRISE TESTING OF SOFTWARE SUPPLY CHAIN

Page 10: Top 5 Reasons Why You Need an AppSec Program

TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 10

A scary example…

Your application security program should include third-party software, and hold it to the same security standards as internally

developed software.

JPMorgan Chase was breached through a third-party app promoting its charitable road race. The breach led to records stolen from:

76 MILLION HOUSEHOLDS

MILLION

7 MILLION BUSINESSES

MILLION

Page 11: Top 5 Reasons Why You Need an AppSec Program

11

You’re not off the hook if you don’t develop your software from scratch either.

Remember Heartbleed?

That headache stemmed from a vulnerability in OpenSSL, a common component used in applications to

encrypt data in transport.

4 MILLION

PATIENT RECORDS

thanks to a breach due to the Heartbleed vulnerability.

Community Health lost more than

Things to consider:

1. Components make development easier… and riskier.

2. Your organization doesn’t own the code and can’t update it if a vulnerability is found.

3. You need an application security program that tracks the use of components and outlines acceptable ways to use them.

TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM

Page 12: Top 5 Reasons Why You Need an AppSec Program

5TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM

REASON #5

If you get breached, you will pay.

12

The Verizon 2015 Data Breach Investigations Report found that data breaches cost businesses around the world $400 million. Don’t underestimate the cost of a breach.

LOST REVENUEThis might result from stolen corporate data, lowered sales volumes (if consumers get scared) or falling stock prices.

MONEY SPENT ON INVESTIGATION AND CLEANUPA recent joint Veracode/Centre for Economics and Business Research (Cebr) report found that cyberattacks cost UK firms £34 billion in revenue losses and subsequent increased IT spending.

CO

ST

OF

A B

RE

AC

H

Page 13: Top 5 Reasons Why You Need an AppSec Program

TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM

You’ll also feel the cost of a breach in…

13

COST OF DOWNTIME

A recent Information Age article estimated that every

hour of downtime costs businesses $100,000.

BRAND DAMAGE

The long-term reputation damage associated with security breaches can be substantial and lead to intangible

costs or loss of business.

Page 14: Top 5 Reasons Why You Need an AppSec Program

LOVE TO LEARN ABOUT APPLICATION

SECURITY?

Get all the latest news, tips

and articles delivered right

to your inbox

Subscribe Here

The end goal for any organization should be a mature, robust application security program that:

• Assesses every application, whether built in-house, purchased or compiled

• Enables developers to find and fix vulnerabilities while they are coding

• Takes advantage of automation and cloud-based services to more easily incorporate security into the development

process and scale the program

AppSec Critical

TOP 5 REASONS WHY YOU NEED AN APPSEC PROGRAM 14