Posted by: David Scott
enterprise security, security awareness, security developer, security development, web applications, web management, web security
In some quarters, it’s being estimated that most enterprise web applications are insecure.
According to a study by Imperva, WhiteHat Security and the Ponemon Institute, 70% of respondents don’t believe web security is a strategy in their orgs, with appropriate budget targeted to web application security and associated risk.
This poses a major threat to the enterprise. Most organizations today grant access to mission critical apps through their websites. However, executive management doesn’t focus much on security – indeed, they may not even really understand it – and thus the proper emphasis and protections are not driven downward, into that bulk of managers and staff who actually do the doing in implementing security.
In all regards, security must be a central design element; in systems as well as human endeavors. In other words, security must be inherent in functionality, and process must reinforce – even force – adherence to security. In terms of human instruction, interactions, training, and use of systems, there must be the dissemination of appropriate protocols and refreshers and reminders for best security awareness. And, of course, all necessary updates.
Most organizations lack a cohesive, coherent, monitoring system for intrusion detection/attempts. Often, even simple event logs are not monitored, and logs are not synchronized across the enterprise in leveraging enhancing information, nor capturing an efficiency of review.
Unfortunately, security is a rather ho-hum endeavor. The excitement and attraction is always the “next big thing,” with resultant mods of bells and whistles that further use and delivery; time and budget are precious, and developers are pointed forward. They do not have time to look at the present lay of the land, in assessing or advancing security – until a breach forces them to, that is, by grabbing everyone’s attention by the throat.
It all starts with awareness. Do your part as you can, within the limits of your power and authority: Once the vulnerabilities are exposed (both systemic and organizational), the senior executive class understands that a breach can not only take some or all of business offline for some measure of time, it can result in the longer lasting liabilities in exposure of content, revenue loss, and compromise of reputation.
NP: Rapid Shave – Shirley Scott / Stanley Turrentine, jazz24.org