The last time I proposed that we should collectively “get over” our concerns about SaaS and cloud security issues, I was making the point that whether we think these kinds of services are secure or not, the time has come to deal with the issues in the same way we deal with security for hosted applications.
The reality is that just because you've implemented a SaaS application doesn't mean you’re necessarily any more -- or any less -- safe from security threats.
I don't believe any one technology has a lock on security. From my perspective, if there is either data of any value or personal notoriety to be gained by penetrating an enterprise, you'd better be vigilant about the apps you use - whether they are inside or outside your firewall.
A report
just released by security SaaS vendor Veracode provides a great insight into the kinds of vulnerabilities they've found in the nearly 3,000 assessments they've performed. Here’s a recap of Vercode’s top findings from their assessment of 2,922 applications:
Eight out of 10 Web applications failed to comply with the OWASP Top 10, a list of the 10 most dangerous Web flaws;
Cross-site scripting is the most common vulnerability;
Third-party applications were found to have the lowest security quality;
No single method of application security testing is adequate by itself.
What I find fascinating about this report (aside from the findings themselves) is the way the company is able to draw its conclusions. The assessment application is a SaaS-based application, and the results are stored in a single datastore. This makes all their results available for aggregated research. That means it's possible to fairly easily create reports based on nearly any criteria. That’s a strength of the SaaS-based approach, and one that puts the technology at the top of my list of “great strides in computing.”
On the other hand, I wonder how Veracode’s applications themselves stack up against the same tests they perform for their clients.
If you look through the report, you'll see conclusions based on application type, developer type, industry vertical, vulnerability type, time to resolve identified issues, application language, and several other top-priority evaluations.
The first two findings above are particularly interesting in that they point out that the majority of all software fails to meet “acceptable” security levels and that an Internet connection that supports cross-site scripting is the main culprit in enabling the most prevalent vulnerability.
The message I take away from this is that the easy way to be secure is to unplug the Internet connection. Unfortunately, that's increasingly impractical if not impossible in today's connected environments. The second best practice is to perform vulnerability assessments on all your applications, and where possible, include commitments to resolve deficiencies in contracts and SLAs, prior to making any business arrangements.
— Scott Koegler was a CIO for 15 years and has been writing about technology for the last 18 years. He is editor of www.ec-bp.org, a newsletter that addresses supply chain technologies, and manages other newsletters at www.YourCompanyNewsletter.com. You can contact him at scott@koegler.net.
Security always seems to be the item at the bottom of the list that no one wants to get to or think about. It is always 'we'll get there when we can' or 'that's good enough for now' or 'no one would really even bother to try to get into this'.
It's tough stuff - the black hats are always out there always looking for an opportunity and being paranoid about it rarely makes you friends - the cost is high, the effort is high, and it is hard to know when you've actually done a good job in the end.
I'm not proposing that Veracode is better than (or even as good as) any other provider. I take their analysis as a good look at the state of software security, which seems to be pretty poor. It doesn't seem to me that the company is looking to promote its own agenda by way of its research, other than to say that if you're using software, you probably need to be doing some testing and then some fixing. That said, I'm sure they would be happy to contract to help with those kinds of tasks.
Is Veracode any better at securing these issues than other products? It seems like just another product propaganda publication. When setting up a network, the IT department, be it one guy or twenty, has their own recommendations for security. The various products on the market will always be sniping at one another. How do you choose?
In any and all roles: writing specs, developing, error-checking, testing, deploying, maintaining, using?
Combine the report you quote with one from a couple of months ago that a similar proportion of IT professionals don't take all the obvious precautions themselves, and one might be inclined to throw one's hands up and give up. But the (very slow) progress of checklists for doctors is encouraging. Simple thing like a checklist. Check off the top ten items on this report and the one I referred to, and you probably stop 99% of all problems before they can get a foothold.
I don't think SaaS security should be talked about unless you include virtualization. The fact that multiple databases can reside on the same piece of hardware has to be a security consideration, just as much as the fact that the data is cloud-based.
Clearly there is work, as there always has been, to be done in an attempt to secure our applications over the Internet. Since identifying a problem is half the solution, what needs to be done now is to find ways to resolve the vulnerabilities identified.
Security would always be an issue, the realistic thing is to have a means of reducing its negative effect.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
With instant-everything now a given, why do bank transfers still take three to five days? Surely our banking systems operate in real-time when we make a purchase using a debit card. So why should we wait as long as a week to get confirmation of a deposit that simply moves from one bank to another?
Cloud-based applications are becoming old hat at this point. But one set of applications that has been slow in moving online is those that use larger files -- specifically, images, video, and sound files. However, progress is starting to happen in this field.
Would you pay a fee to guarantee your email got delivered... and read? Even if your answer is a resounding yes, it’s difficult to find a service that can make good on that promise. After all, it’s one thing to get past the spam filters and land in your recipient’s inbox. But it’s an entirely different matter to know the receiver will absolutely read your email.
Email continues to grow despite the seemingly endless onslaught of social media sites featuring updates for hundreds of millions of people around the globe. The reason for email’s continued prominence becomes obvious when you understand that social media is a “go-to” communication method, while email is a “hear-from” communication.
The majority of enterprise resource planning (ERP) systems -- in fact, the majority of all applications in use in enterprises of all sizes today -- are server-based. The burden of maintaining and managing these systems represents a significant percentage of company time and revenue.
Mark Frigon is a senior product manager with IBM's Enterprise Marketing Management organization, a key group involved in leading IBM's Smarter Commerce initiative. Mark's specialties are in Web analytics (he joined IBM as part of its acquisition of Coremetrics) and Internet privacy, an issue that has come to the forefront in recent years for digital marketers around the globe.
From Possible to Proven: Driving Business Value through Smarter Analytics IBM's Smarter Analytics approach enables organizations to align their processes around valuable information, both inside and outside of their networks, and to use that information to anticipate, predict, and shape business outcomes. Let's take a closer look at how organizations can start anywhere, based on their business needs, and become transformed outperformers by applying Smarter Analytics. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
With 24/7 processing and business continuation paramount, more organizations are considering having three datacenters, where primary and secondary datacenters are in their immediate region and a third is in a remote geography. Why? To avoid repercussions of a major disaster that could hit every IT resource in a specific region.
Cloud is pushing classic corporate data centers beyond their physical boundaries and into new territory to where they one day might be expected to federate with different clouds. For this to happen seamlessly, a new class of systems management superstructure software will be needed.
Today, most sites manually create scripts for virtual system image and deployment in the cloud. This consumes time and can introduce error. Now, systems vendors are coming to the rescue with new automation tools that expedite and bulletproof the process. This is good news for the cloud.
Gil Elbaz, CEO of Factual, talks about the importance of data and analytics for marketers and how the technology is evolving to better assist automated, real-time decisions.
High-performance computing has traditionally been the province of academia, but enterprises are now giving it a serious look. The interest is prompting several universities to consider offering HPC cloud services to private sector organizations.
CIOs need to be developing their ROI metrics for cloud now. Why? Because there may be a number of "hidden" fees that need to be added to the vendor's user "per seat" cost.
Healthcare IT faces an array of challenges and changes in the next three to five years, says the CIO of The Ottawa Hospital. Mobility will play a role in healthcare in a big way.
Apple's numbers show that it may be giving Microsoft an opportunity to gain ground in tablets by failing to cement Mac, iPhone, and iPad lines together with an effective cloud strategy.
Many CIOs are findng themselves in the midst of a "cloud honeymoon," with little empirical data available about how cloud should perform and with other C-level executives just happy to have cloud. But this is likely to end in the next 18 months, when the hard questions about cost savings, agility, and speed of deployment begin to emerge.
Huawei has become a key supplier of networking equipment to telcos. The company is now gunning for enterprises and may represent the most significant threat to Cisco since its inception. Huawei has set a goal of $15 billion in enterprise equipment sales by 2015.
Self-driving cars are being tested in Nevada, but can this technology work optimally without Internet integration, and can we offer integration without improving security considerably? In fact, all M2M is a potential risk until security is tightened.
Tired of idle chitchat while your hair is being washed or your muscles relaxed? Never fear: Robots are here! Robots have taken on hair washing tasks at Japan's Hair salon Super Hair Seo, and DreamBots has developed the Wheeme, which gives individuals a deep body massage.
Gil Elbaz, CEO of Factual, talks about the importance of data and analytics for marketers and how the technology is evolving to better assist automated, real-time decisions.
Facebook's IPO might change the way VCs look at funding fundamental Internet infrastructure research. If Facebook doesn't do well, VCs might move away from mindless flipping of social media startups and toward something serious. That could be good for everyone.
After a long run of significant growth, cellphone sales dipped by more than 1 percent this quarter, according to market research firm International Data Corp. The change will have a significant impact on vendors, such as Nokia and RIM, who have struggled recently.
Email This
