Software solution providers have pervasive and stringent access control requirements, but all too often legacy applications haven’t been keeping up with the latest security best practices and this is now opening new vulnerabilities that may be exploited by industrious cyber criminals.
Why Software solution Provider Security Assessments?
The Cloud Security Alliance issued a press release headlined “Cloud Security Alliance Releases Latest Survey Report on State of Cloud Security Concerns, Challenges, and Incidents” that highlights the magnitude of the challenge:
“The survey found that over half of organizations are running 41 percent or more of their workloads in public clouds, compared to just one-quarter in 2019. In 2021, 63 percent of respondents expect to be running 41 percent or more of their workloads in public cloud, indicating that adoption of public cloud will only continue. Sixty-two percent of respondents use more than one cloud provider, and the diversity of production workloads (e.g. container platforms, virtual machines) is also expected to increase.”
The press release goes on to offer the following findings:
- Security tops concerns with cloud projects: Respondents’ leading concerns over cloud adoption were network security (58%), a lack of cloud expertise (47%), migrating workloads to the cloud (44%), and insufficient staff to manage cloud environments (32%). It’s notable that a total of 79 percent of respondents reported staff-related issues, highlighting that organizations are struggling with handling cloud deployments and a largely remote workforce.
- Cloud issues and misconfigurations are leading causes of breaches and outages: Eleven percent of respondents reported a cloud security incident in the past year with the three most common causes being cloud provider issues (26%), security misconfigurations (22%), and attacks such as denial of service exploits (20%). When asked about the impact of their most disruptive cloud outages, 24 percent said it took up to 3 hours to restore operations, and for 26 percent it took more than half a day.
- Nearly one-third still manage cloud security manually: Fifty-two percent of respondents stated they use cloud-native tools to manage security as part of their application orchestration process, and 50 percent reported using orchestration and configuration management tools such as Ansible, Chef and Puppet. Twenty-nine percent said they use manual processes to manage cloud security.
- Who controls cloud security is not clear-cut: Thirty-five percent of respondents said their security operations team managed cloud security, followed by the cloud team (18%), and IT operations (16%). Other teams such as network operations, DevOps and application owners all fell below 10 percent, showing confusion over exactly who owns public cloud security.
Bottom line is that software solution providers are just as much at risk as any other organization if not more so.
A Software Solution Provider Case Study
nVisium performed a comprehensive review of a complex web application for a major software and solutions provider. The goal of this engagement was to identify security issues in a legacy application that had never undergone a full security assessment.
Due to the stringent access control requirements, it was essential to ensure that privilege escalation was prevented throughout the large and complex codebase, and that protection from SQL Injection attacks were built in. As critical security issues were identified, nVisium recommended fixes directly to their developers.
nVisium then performed remediation validation of all fixes to confirm the correctness, and that more vulnerabilities were not introduced to the codebase. This demonstrates the effectiveness of nVisium’s approach to following up with clients and making sure they have appropriately fixed any issues uncovered during the engagement.
Recognizing that an outside trusted partner will provide an objective assessment f your capabilities and software infrastructure. Is a great first step. You may wish to revisit this blog on security assessments or this blog on the value of training your developers on security best practices and a great next step and then you will be ready to take an objective look at your own organization.
nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Our experienced team of security-savvy developers and engineers guide organizations to build best practices with high ROI into their engineering and secure development lifecycles across applications, operating systems, networks, mobile, cloud and IoT through services, software solutions and R&D unique to business operations and compliance initiatives. Additionally, nVisium provides a fully managed platform for tracking and measuring performance as well as instructor-led and online training.
nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Our security-savvy team implements leading-edge assessment techniques and world-class secure development training programs to eliminate vulnerabilities for both global enterprises as well as startup organizations, so when you are ready, schedule a consultation today or download our new eBook titled “Demystifying DevSecOps” to get started yourself.