By John Diamant, Distinguished Technologist, HP Enterprise Services
IT security quality is stuck in a time warp.
In the 1950s, consultant W. Edward Deming taught Japanese leaders how to drive quality by applying statistical process controls from design to manufacturing. He unleashed a quality revolution that formed the basis of Japan’s industrial prowess. Deming’s quality revolution touched U.S. shores and the rest of the world by the 1970s. In the 1980s, it was applied to Information Technology.
Yet quality assurance levels in the IT security realm remain mired in the pre-quality space—akin to where manufacturing was in the fifties. This despite the fact that the number of noxious cyber attacks has risen dramatically. (Discover how employees can sabotage enterprise security.)
Enterprise security at stake
Where in the IT sphere is the most gaping security defect located? According to a security breach investigations report, only 14 percent of successful attack pathways run through networks. A full 86 percent are through vulnerable applications—enterprise application security is the weakest link.
Decades ago, cyber-attacks were motivated by the potential fame or gain accrued to the individual hacker. These relatively unsophisticated attacks were generally conducted as a leisure activity during off-business hours in the attacker’s location.
Today, these threats are far more sophisticated, virulent, highly motivated, and well funded:
- Nation-states and criminal enterprises are engaged in industrialized identity theft and illicit information markets.
- The attacks are bold, striking during business hours.
- Illicit data is often the main business for these organizations.
And it’s highly lucrative. Enterprises can’t afford to ignore the potential of risk.
The real cost
According to the US National Vulnerability Database compiled by the US Department of Homeland Security, there are some 47,000 publically disclosed IT security defects. But security experts warn that the number of undisclosed/unreported defects is far higher—by at least 20 times.Downtime and dollars can cost the enterprise big.
Every segment of society is vulnerable to these threats, from transportation (In 2008, a 14-year-old boy hacked into the Polish tram system and used it like a giant train set, derailing four cars.) and medicine to finance and government (defense, voting machines, etc.)
Costs associated with security defects can be astronomical, averaging $1 million per hour in downtime costs alone. Yet the final toll can be far more devastating. In 2007, CardSystems Solutions filed for bankruptcy after a hacker stole 40 million credit cards from its systems. The breach prompted Visa and American Express to drop CardSystems as a credit card processor.
These gaping vulnerabilities demand new strategies. Deming’s total quality management process must be applied at each and every stage in the applications development lifecycle. This process should zero in on security critical applications—those that would have the most impact if compromised. It should be combined with security quality applied across the full lifecycle, especially including architectural threat analysis to locate the weakest links.
The security strategy may be the problem
Typical industry strategies—security patches, testing for vulnerabilities after implementation, code level analysis—are insufficient. It’s exactly backward to only focus there. Such strategies can never solve the problem alone because testing and patching don’t address poor security architecture quality. It’s like tightening wobbly car door bolts after the sale instead of designing fit and finish tolerances from the start.
To optimize IT security, it is essential to design quality assurances into the beginning of the software development lifecycle, then utilize security testing across later phases.
The key: Applications security is a process that should never be performed only reactively, and it can’t be solved in one fell swoop.
But you must begin. Costs increase dramatically as you move into the later stages of the applications lifecycle. And the problem will continue to worsen as hackers get more funding and their attacks grow in virulence. Next time, if you can make your applications security investments at the beginning, you’ll maximize your security quality.
Watch the Innovation INSIGHT webcast “Securing Your Applications: How to Avoid Building Enterprise Security on a House of Cards,” or join the discussion at the Innovation INSIGHT LinkedIn group.