According to a just-released report, keeping business applications both accessible and secure is increasingly tricky as the number of applications within businesses rises. The survey showed that infosec professionals want managers on the business side of the house to get more active in the app risk management process.
For its 2014 State of Network Security report, AlgoSec Inc., a provider of network security policy management services, surveyed 142 security and network operations professionals at the 2014 RSA Conference. The survey, which aimed to pinpoint the challenges respondents face when balancing the security and access requirements of business-critical applications, showed the number of deployed business applications is increasing dramatically, with 60% of the respondents indicating their organizations have more than 50 apps to manage, and 20% are responsible for more than 500 apps.
That vast quantity of apps is creating a number of headaches for security and network professionals, according to the report, as just over half of the respondents indicated the biggest challenge was simply identifying and prioritizing critical vulnerabilities.
From the rest of those surveyed, 21% laid blame on the business units responsible for such applications, claiming they are unwilling, or unable, to fix vulnerabilities that have been identified. Another 24% said their respective organizations simply don't understand security risk in a business context, making the implementation of timely fixes a challenge.
Altogether, more than nine out of ten surveyed in the AlgoSec report believed business stakeholders should "own the risk" related to the application, not leave it as the sole responsibility of security and network teams.
Nimmy Reichenberg, AlgoSec's vice president for marketing and strategy, agreed that business leaders are ultimately responsible for app risk management, drawing the analogy between those stakeholders and homeowners. A homeowner could bring in a security consultant to protect their home from being burgled, for example, and the consultant's recommendations could be to build a fence, install an alarm system, or even dig a moat and fill it with crocodiles. The homeowner, he said, must still weigh the costs and benefits associated with each security measure, and compare them to the actual risk of intrusion.
In the same vein, Reichenberg said, "Security practitioners can definitely analyze the risks, but what is your appetite for risk? How much do you want to invest for better protection? Ultimately, it's the business application owner's responsibility to understand the level of risk in his application and to determine the course of action."
In the case of the Heartbleed OpenSSL vulnerability, he argued, it's obviously important to stress the severity of the bug and the need for applying a timely fix, but security pros should also indicate to decision makers whether the vulnerability is present on a mission-critical Web server or one where a breach won't have a huge impact. As large enterprises may have hundreds of Web servers, Reichenberg said that providing such information enables business leaders to make more informed security decisions and, in the case of Heartbleed, allow the security team to prioritize the patches that are pushed out to any vulnerable servers.
"That's just one vulnerability. If you've ever seen the results from a vulnerability scanner, they spit out hundreds of thousands of vulnerabilities, more than you could ever reasonably address," Reichenberg said. "The idea is to take a business application and say 'Here is the overall level of risk with this application,' and if it's above the threshold that your organization tolerates, then you need to do something about it."