F5 Networks today urged Saudi businesses to put application security at the heart of plans to support the Kingdom’s tech-driven and transformative 2030 Vision.
The global application security specialist highlighted the pitfalls and opportunities for business-leaders as it revealed findings from its first Annual State of Application Security report, which was conducted in partnership with the Ponemon Institute[i]
“The proliferation of cutting-edge technology in Saudi Arabia is increasingly important as the Kingdom’s 2030 Vision is delivered. This is a genuinely transformative plan and applications will function as its central nervous system, empowering both individuals and business to prosper through new levels of flexibility and innovation,” said Mamduh Allam, Saudi Arabia General Manager, F5 Networks.
“However, the accountability for the security of applications appears to be in a state of flux, and IT departments still face significant barriers to ensure the integrity of these apps and the data they contain.”
The State of Application Security
50% of businesses run between 500 and 2,500 active applications, according to F5’s Application Security in the Changing Risk Landscape report.12% use more than 2,500.
Despite a third of all applications deemed critical to day-to-day activity, only 35% claimed to have the resources to detect vulnerabilities and as few as 30% said they had the technology to remediate the issues. A full 88% were concerned about new and emerging cyber-security threats weakening the future state of application security.
Worryingly, 43% also claimed to have no confidence that they knew all the applications in their organisation (23% were “somewhat confident”).
Allam explained that one of the biggest challenges business face is a sea-change in IT responsibility, particularly as applications become more central to delivering vital services, adaptive to mobile workforces and harnessing the Internet of Things.
F5’s survey found that 56% of respondents believe accountability for application security is shifting from IT to the end user or application owner. Wheras 21% respondents claimed the CIO or CTO is accountable, another 20% said nobody one had full ownership.
“We are finding that businesses are still coming to terms with the onslaught of new technologies, such as the Internet of Things infiltrating all aspects of our professional and personal lives. As a result, IT departments are often unprepared and under-resourced to implement sufficient defence strategies,” said Allam.
“Poor visibility on the application layer, application migration to the cloud, the proliferation of mobile devices and the lack of preparation of the development teams are among the main pitfalls faced by Saudi businesses today.”
Spotting the problem
In the past year, the most common security incidents due to insecure applications were SQL injections (29%), DDoS (25%) and Web fraud (21%).
Fifty percent of respondents reported that applications are attacked more frequently than the network layer, with 58% claiming these types of attack are more severe.
63% of respondents said application layer attacks are harder to detect than at the network layer and 67% indicated they were more difficult to contain. The majority of respondents (57%) noted that a lack of visibility in the application layer is an impediment to achieving a robust security posture. In part, this can be attributed to the fact that network security is better funded than application security. F5’s report discovered that 18% of the IT security budget is dedicated to application security, whereas more than double that amount (an average of 39%) is allocated to network security.
Other significant barriers are created by migration to the cloud (47%), lack of skilled or expert personnel (45%) and the proliferation of mobile devices (43% respondents).
Indeed, the growth in mobile and cloud-based applications is seen as significantly affecting application security risk. 60% of respondents say mobile apps increase risk (25%) or increase risk significantly (35%). 51% of respondents say cloud-based applications increase risk (25%or increase risk significantly (26%).
Lack of testing, minding the skill gap and DevOps to the fore
Almost half of respondents said their organization does not test applications for threats and vulnerabilities (25%) or testing is not pre-scheduled (23%). Only 14% of respondents say applications are tested every time the code changes.
The situation is exacerbated by businesses having scant confidence that application developers in their organization practice secure design, development and testing of applications. When it comes to application development, 74% claim they are only somewhat confident (27% or have no confidence (47%) that practices such as input/output validation, defensive programming and appropriate compiler/linker security options are conducted.
Nevertheless, there is growing confidence that the increasing prominence and influence of DevOps or continuous integration will have a positive impact on application security. 35% of respondents say their organizations have adopted DevOps or continuous integration
practices into the application development lifecycle. 71% say this results in improved application security and enables them to respond quickly to security issues and vulnerabilities (56 percent of respondents).
The perceived cyber-security skill-gap is also a pressing issue. 69% of respondents believe the shortage of skilled and qualified application developers puts their applications at risk. Moreover, 67% say the “rush to release” causes application developers in their organization to neglect secure coding procedures and processes.
Trust is King
Recent F5 research highlights the importance of businesses tackling issues head-on or risk customer trust issues. A recent privacy and security survey among 1,000 Saudi consumers found that 59% are concerned that their data will fall into the wrong hands, followed closely by their privacy being compromised (57 per cent). However, Saudi consumers were consistently more willing to give up their data compared to consumers in Europe; only 8 per cent per stated they would not give up their data at all, compared to 33 per cent the UK.
While consumers in Saudi Arabia regarded banks as the most trustworthy companies (91 per cent), there is dissatisfaction in the methods used to protect their data. Consumers believed that banks (86 per cent), public sector and government (80 per cent), insurance (72 per cent) and healthcare (71 per cent), needed to field better authentication capabilities to achieve greater security. Across EMEA, 88% of consumers felt strongly that organisations should improve authentication for greater security.
“Ultimately, application security is a collective responsibility,” added Allam.
“Stakeholders in the equation of a successful application deployment strategy should include the IT department, developers, DevOps and also company CIO or CTO executives who need to attribute more resources to this important area of business. Determining a sustainable ownership strategy for application security will help firms to deploy applications security across their employee network for 24-hour access, on any device and from any location.”