The last time I proposed that we should collectively “get over” our concerns about SaaS and cloud security issues, I was making the point that whether we think these kinds of services are secure or not, the time has come to deal with the issues in the same way we deal with security for hosted applications.
The reality is that just because you've implemented a SaaS application doesn't mean you’re necessarily any more -- or any less -- safe from security threats.
I don't believe any one technology has a lock on security. From my perspective, if there is either data of any value or personal notoriety to be gained by penetrating an enterprise, you'd better be vigilant about the apps you use - whether they are inside or outside your firewall.
A report
just released by security SaaS vendor Veracode provides a great insight into the kinds of vulnerabilities they've found in the nearly 3,000 assessments they've performed. Here’s a recap of Vercode’s top findings from their assessment of 2,922 applications:
Eight out of 10 Web applications failed to comply with the OWASP Top 10, a list of the 10 most dangerous Web flaws;
Cross-site scripting is the most common vulnerability;
Third-party applications were found to have the lowest security quality;
No single method of application security testing is adequate by itself.
What I find fascinating about this report (aside from the findings themselves) is the way the company is able to draw its conclusions. The assessment application is a SaaS-based application, and the results are stored in a single datastore. This makes all their results available for aggregated research. That means it's possible to fairly easily create reports based on nearly any criteria. That’s a strength of the SaaS-based approach, and one that puts the technology at the top of my list of “great strides in computing.”
On the other hand, I wonder how Veracode’s applications themselves stack up against the same tests they perform for their clients.
If you look through the report, you'll see conclusions based on application type, developer type, industry vertical, vulnerability type, time to resolve identified issues, application language, and several other top-priority evaluations.
The first two findings above are particularly interesting in that they point out that the majority of all software fails to meet “acceptable” security levels and that an Internet connection that supports cross-site scripting is the main culprit in enabling the most prevalent vulnerability.
The message I take away from this is that the easy way to be secure is to unplug the Internet connection. Unfortunately, that's increasingly impractical if not impossible in today's connected environments. The second best practice is to perform vulnerability assessments on all your applications, and where possible, include commitments to resolve deficiencies in contracts and SLAs, prior to making any business arrangements.
— Scott Koegler was a CIO for 15 years and has been writing about technology for the last 18 years. He is editor of www.ec-bp.org, a newsletter that addresses supply chain technologies, and manages other newsletters at www.YourCompanyNewsletter.com. You can contact him at scott@koegler.net.
Email This
