Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets.
Your network is protected – firewalls are on nearly every device that connects to a network.
All servers are protected, thanks to advances in intrusion prevention systems. But our software applications are still largely unprotected and vulnerable.
Securing the network and hosts is well understood – they are tangible and controllable.
The software is complex; its bits and bytes. You can’t touch it, you can’t see it. It’s often ignored because it’s hard to understand (especially by traditional IT folks, who are never really worked in software development.). Because IT folks believe that if you build a moat or erect a fortress wall, the castle cannot be breached. The result is that the highest priority area of risk is getting the least attention. The software is left unprotected and vulnerable.
The National Institute of Standards and Technology estimated that 92% of exploitable vulnerabilities are in the software.
And that software is open to attack. Let’s take a look at how…
Historically, companies spend money on protecting what is tangible: the network and the server. This is understandable: you can see it, you can touch it, you want to manage it since you can control it. For security folks, software is a different matter: it’s outside your control, it’s developed by someone else (not in IT), it’s more complex with all its moving parts and dependencies. Companies believed that if you protected the outer layers (network and hardware), the software will be unreachable and therefore not breach-able. However, that has not proven to be the case: software is the New Entry Point.
Why? First, it’s easy to exploit, having been ignored for so long. Second, getting access to personal data/ information is more highly profitable.
Network-Based or Hardware-Based Security Solutions are ineffective for today’s threat. One very interesting point to make here: Network security ingrained a set of practices and principles that were essentially migrated over to software security. Good practices for their time and place but bad practices when it comes to software security.
- Security problems have simple solutions e.g. patching, port blocking, password management
- Security can be done after the fact by specialists as opposed to “building it in”
- We have trained our customers to expect that security is something that will be handled for them by the security specialist and does not require their active participation.