With 92 percent of reported security vulnerabilities lurking in applications, not in networks, healthcare organizations must accept the need to address and improve application security to lower their risks, according to Synopsys, a vendor of software security and quality testing managed services. Here are six factors that healthcare organizations must take into account in beefing up application security.
Hiring and retaining security experts is difficult and costly
Even if successful at filling the position, the areas of expertise the new hire needs will span multiple domains as a software security program evolves. Areas of expertise required include malware, threat mitigation, cryptography and forensics; industry-specific knowledge, advanced analytics, network virtualization; and cloud and mobile security. Also essential are soft skills to do the job that include communication, management and reporting.
Vulnerabilities are often inherited from legacy or third-party applications
Hackers obviously look for the easiest way to get in, and providers with limited internal resources may not have the time or tools to identify all the paths hackers may choose, even if the organization is testing regularly. Further, attackers continue to exploit vulnerabilities in code, some of which may have been written many years ago. In-house developers may reuse code that has been in circulation for many years, and they may unwittingly produce programs with inherited security bugs and flaws.
Lumpy demand requires elastic capacity
“Lumpy demand” is something slow moving or too expensive. The most common cause of lumpy demand is an uneven pipeline of new applications coming out of the development group. Most companies no longer follow a fixed-release schedule. If the organization operates in an agile development environment, it could be facing almost continual feature releases with different levels of technical risk and business impact. Development needs to move forward for the company to stay competitive and meet customer demands.
Responding to frequent and rapid changes is critical
Not only is the organization dealing with a lumpy release schedule, but the business is also evolving. The security team needs to quickly evolve to keep pace on new threats that come light and must be investigated and addressed; new markets or industries that have different regulatory requirements, mobile apps start to be rolled out, and a merger or acquisition could place new apps into the environment. If demand spikes without a full application security team in place, prepare to be scrambling to test and clean up code, or deploy patches to software that is already in the hands of users.
No single testing tool can catch every vulnerability
Acquiring a tool to test software is not a guarantee of reducing risk. Recognize that each security testing tool has different strengths, and no tool catches everything. If resources only allow an organization to implement one or two security testing tools, critical issues could be missed that increase risk. The organization could spend countless hours chasing false positives.
Tools alone are not enough to stay safe
To protect applications that manage business critical functions or access sensitive data, running a standard set of automated scans is insufficient. What’s needed is expertise to execute in-depth manual tests and interpret results. Application security changes constantly. New threats and attack vectors emerge continually and new regulations ramp up compliance requirements. Testing and prevention strategies need to stay up-to-date.
Date: June 08, 2019
Source: Health Data Management