In its recent webinar titled, “IT Spending Forecast, 1Q20 Update- View from the Peak,” analyst firm Gartner, Inc. predicted that overall IT spending will decrease 8% in 2020 compared to 2019. That being said, Gartner anticipates that more than $3.4 trillion (yes, trillion!) dollars will be spent on information technology this year.
Despite macro IT purchasing trends, Gartner predicts that IT security software spending will increase by about 10% this year. The purpose of my blog is to empower you and your executive team to understand why Application Security should be considered a mission-critical investment.
Application Security: 5 Key Reasons Why
In today’s dynamic business environment, how can you encourage your executive team to invest in application security? There are at least five key reasons:
Reason #1: Applications are your customers’ lifeline to your business, more than ever
A recent survey by Mobile App Daily revealed that companies leveraged their mobile application presence primarily to improve customer service (38% of respondents), extend their Web experiences (26%) and increase revenue (24%). The remaining 12% of organizations primarily utilized mobile applications to foster customer loyalty. You will agree that these are all important business motivators.
And, that particular survey was updated in March 2020, just as the economic impact of COVID-19 was beginning to affect the global economy. Imagine the impact on your organization, if your mission-critical applications had been brought down by security vulnerabilities, just as your customers began to conduct almost all of their interactions with you via mobile and Web applications.
Reason #2: In 2020, your company’s brand is of paramount importance
Think of the companies that you’ve done the majority of your personal business with this year. Chances are that they are the businesses you trust the most. In an article titled, “Brand Matters…more than ever,” Neil Stanhope of brand agency Underscore explains that, “Brand reputation is not just how your company is perceived by your existing customers, but by the market as a whole. In times of crisis, people quickly turn to what they know and trust or how they work on market authority and word of mouth.”
Now, imagine if one of your preferred businesses experienced a significant security breach during these unprecedented times. How would your impression of the business have changed? Not only would your favorite business have faced an estimated average data breach cost of $3.92 million (based on Ponemon Institute research), its reputational cost would have been significant. All of this would have taken place during a time when customers were generally unable to interact with that business in person.
Reason #3: Threat actors don’t take vacations
While much of the world has adapted to limited business hours and a Work from Home environment in 2020, cyber-threat actors are as productive as ever. In a compiled IT Security study, TechBeacon reported that up to 92% of web applications contained security flaws or weaknesses that could be exploited, and it took businesses an average of 38 days to patch their web application vulnerabilities, regardless of severity. A joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) detailed a series of significant cyber-exploits in April of this year.
And, there’s no shortage of applications for malicious actors to exploit. The “Business of Apps” Web site estimated that users had between 2.6 million Android apps and 2.2 million iOS apps to choose from, as of the first quarter of 2019. And, all of those apps needed to be protected from malicious actors! It was further estimated that 194 billion application downloads took place in 2018 alone.
To encourage safer coding practices from the outset, the company I work for offers HCL AppScan CodeSweep, a complimentary Code Editor extension that detects security vulnerabilities while you code. Click on the link above to see the expanding list of supported CodeSweep languages, and you can even watch a brief YouTube video to learn more about CodeSweep.
Reason #4: Maintaining focus on high-impact vulnerabilities isn’t easy
One of the most powerful benefits of application security testing technology is that it permits you to focus on your most significant vulnerabilities, particularly those that are most likely to impact your organization’s infrastructure. To see how easy it is to set up your very first application security scan, check out our HCL AppScan Standard video.
Reason #5: Data Privacy regulations- They just keep coming!
California Consumer Privacy Act (CCPA)
In the United States, the National Conference of State Legislatures (NCSL) maintains a growing list of private sector data security laws by state.
One of the most prominent is the CCPA, which can penalize covered businesses for breaches that arise from Although the law doesn’t go as far as to define which security procedures and practices should be considered “reasonable,” the State of California has previously outlined safeguards that it viewed as constituting .
Those security practices are based on a set of 20 data security controls that are published by the . #4 on the CIS listing is Continuous Vulnerability Assessment & Remediation, and #18 on the listing is Application Software Security. Both of those controls directly relate to application security. (Note that the CIS link may require you to log in, in order to gain access).
New York’s is specifically focused on financial institutions. NYDFS requires covered financial institutions to install a detailed cybersecurity plan, designate a Chief Information Security Officer (CISO), enact a comprehensive cybersecurity policy and initiate & maintain an ongoing reporting system for cybersecurity events. The regulation also contains specific language for internal and external applications, in Section 500.08.
Section 500.08 of NYDFS also contains specific Application Security requirements that are recapped below:
“(a) Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.
(b) All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity.”
PIPEDA & GDPR
There are a growing number of regulations outside of the United States, including the The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and the General Data Protection Regulation (GDPR) in Europe. Similar to California’s approach, Canada doesn’t specify particular safeguards that need to be followed, but you can find further details here. You can also watch our recent video that explains GDPR’s impact on Application Security Testing.
You should always remember that application security is only one component of your compliance efforts, and your organization always needs to develop a comprehensive plan.
Ready to test-drive Application Security Testing?
Do you have a better sense of the impact of Application Security Testing? Then, register now for a complimentary 30-day trial of HCL AppScan on Cloud, so you can test-drive application security technology on your own. You can also contact us for a more detailed demo of our appsec solutions. We look forward to connecting with you!