After spending the week in Orlando at FS-ISAC’s Annual Summit, it’s clear that the financial services industry has a particularly daunting task when it comes to safeguarding critical systems. Ask anyone in AppSec what version of Java they’re using and the answer will always be the same, “all of them.”
With another productive Summit behind us, I thought that it would be a good time to highlight some of the problems we heard during last week’s event.
Productivity over Patching
Application downtime can cost tens of thousands of dollars, especially for applications handling transactions. For this reason, organizations must carefully plan their patching practices around established maintenance windows. But as we saw with the recent zero-day vulnerability in Oracle’s WebLogic servers, attackers don’t take a vacation. As a matter of fact, automation is making attacks – especially against web applications – omni-present.
With this constant barrage from the bad guys, AppSec teams are caught between securing critical applications and minimizing the risk to business operations. Binary patches don’t come with compatibility guarantees, so even if applications have patches available, time must be given to test and ensure compatibility. With all that said, how can security leaders minimize the window of exposure, but still outrun the incoming threats?
- Keep a good inventory. Companies need to understand what applications they own and their dependencies, as well as the related supply chains of those applications.Wipro, one of the largest third-party service providers, saw a significant breach in April that compromised client systems. On the heels of that news, Synopsys released their Open Source Security and Risk report showing that 96% of codebases have open source software and 60% of that code has a known vulnerability. Unfortunately, we can no longer assume safety from external resources.
- Don’t ignore your risk registries or your legacy applications. These are often the most valuable assets in an organization and while they may have a much stronger perimeter security than other applications, this doesn’t make them impenetrable. As a matter of fact, perimeter security can often come with a pretty high price with regards to false positives. For that reason, these measures can go ignored or have alerts disabled all together. A warning is only as good as the preparation and reaction taken once notification is received.
- Consider technology that is purpose built to secure complex applications. Runtime Application Self-Protection and Next Generation Web Application Firewalls (NG-WAF) are both specifically made to address the OWASP Top 10, that said, we have to refer to the point above. NG-WAFs are often confused with traditional web application firewalls which are riddled with so many alerting, blocking, and tuning issues that they’ve all but poisoned app owners to technology specifically created to protect business critical applications.
- Hire and continuously train development teams on secure coding practices. As secure coding practices gain momentum, IT security and development leadership must work together to create a company mindset that infuses security into the company DNA. Supportive technologies offer potential for companies to cross pollinate internal silos with secure principals. Choosing the right KPIs and employee incentives, providing secure software development tools, and implementing application security controls provides a layered approach and strengthens the overall security posture.
- Patch quickly. Once a vulnerability is announced it is a race to patch – or face the risk of being attacked. Keeping up with the volume patches is next to impossible, but patching high-risk vulnerabilities is necessary to secure mission critical applications. Things get more complicated in financial services where applications can often go un-patched to the point that applying a security patch could compromise app functionality and potentially cause major business disruption. Of course, there are alternatives like RASP and NG-WAF that offer the binary equivalent of vendor patches without the potential risk.
Financial Services is an industry that is a bit hampered by monolithic applications which have fuelled their businesses for decades. Given the monetary gain to attackers, they will most certainly continue to remain one of the most targeted by hackers.