Empirical Research Reveals Strategies for Reducing Risk by 80 Per Cent
New research from @stake, Inc., the world's leading digital security consulting firm, shows that the typical e-business application is at serious risk of compromise due to application security flaws introduced early in the design cycle. The research is being unveiled at the RSA Conference 2002 in San Jose, California.
@stake found that while nearly half of application security defects - 47 percent - are both readily exploitable and could cause significant loss of reputation or customer revenue, the defects were entirely preventable. While the current state of application security is grim, not all applications are created equal. Of the forty-five e-business applications analysed, @stake found that the best-designed e-business applications have one-quarter as many security defects as the worst. As a result, these applications carry 80 percent less business-adjusted risk than the least secure.
"Security is a critical factor in developing solid software on which companies can build their businesses," said Jeremy Epstein, director of product security & performance for webMethods, Inc. "To ensure solutions are ready to market, companies need better ways of quantifying risk. Grounded in analytical rigor, @stake's research provides a benchmark for security best practices.
In "The Security of Applications: Not All Are Created Equal," @stake provides empirical detail on nine classes of common security flaws that cause applications to be insecure. These are administrative interfaces, authentication/access control, configuration management, cryptographic algorithms, information gathering, input validation, parameter manipulation, sensitive data handling and session management. The research also discusses the impact of design choices on application security, and identifies the most common application security mistakes:
1) Most firms do not adequately provide secure authentication and access control features within applications
2) User session security remains the Achilles heel of most e-business applications
3) e-Business applications typically trust user input implicitly or rely on client-side validation, rather than having the server check for inappropriate data
"Many companies treat security as 'penetrate and patch' rather than employing secure software engineering practices that would have produced a safer application from the start," said Andrew Jaquith, program director, @stake, Inc.
@stake also compares and contrasts the top and bottom performers in the study as measured by business risk in order to benchmark application security best practices. The six areas that differentiated the top performers from the bottom are:
1) Early design focus on user authentication and authorisation
2) Mistrust of user input
3) End-to-end session encryption
4) Safe data handling
5) Elimination of administrator backdoors, mis-configurations and default settings
6) Security quality assurance
@stake's CTO Dan Geer concurs: "Our research shows that the primary difference between the top and bottom performers is due to superior practices in designing, coding and deploying secure applications. The most secure applications carry the least risk."
To help corporate risk managers identify and manage sources of risk in their electronic businesses, @stake recommends a course of action. The firm's research will help companies justify strategic investments to improve the security of applications.
@stake's application security research is the second in a series on Return on Security Investment (ROSI). Earlier findings appeared in the Q4 2001 issue of Secure Business Quarterly, and ran as the cover story of the February 2002 issue of CIO magazine.
For more information and a copy of the research, please visit http://www.atstake.com
- ends -
For more information, contact:
Tel: +44 1753 44 88 81
Tel: +44 1753 44 88 61
@stake works where business and technology intersect, because that is where security is most powerful. The firm integrates technical and business expertise to build security solutions that look beyond the network to the security of applications and data, and future business goals.
@stake couples vertical industry expertise in three areas-- financial services, communication service providers and e-markets-- with pioneering research, to design and build strategic security solutions that enable the electronic business initiatives of its Global 2000 clients. Amidst other providers for whom security services are a way to sell products or drive the sale of broader service offerings, @stake stands out with its dedicated focus on security consulting services and the unmatched calibre of its people.
Click on the link below to see this news release as it appears on the Brodeur
News Room website and obtain full contact details.
Click the link below to login and update your company and subject preferences,
or personal details.
Click on the link below to have your login details re-sent to you.
This press release was distributed by ResponseSource Press Release Wire on behalf of Pleon in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit https://pressreleasewire.responsesource.com/about.