From The Expert Feature Article
June 04, 2013

Cenzic Talks Managed Security

MSP Today reached out to Bala Venkat, chief marketing officer at Cenzic, to find out more about pressing managed security issues.

MSP Today: What are the security issues with corporate applications? Are these less secure than commercial software?

Venkat: The issues are the same. Each software application (whether corporate or commercial) goes through a code development cycle before being pushed into a production environment. We've found repeatedly that the majority of these applications do not incorporate security into their code development stage in the software development life cycle (SDLC). Developers are most concerned about deadlines to push the code into production, and as a result, miss closing the gaps on critical vulnerabilities.

MSP Today: If I have layers of security already, why should I specifically test and protect my software?

Venkat: There is a bit of an educational and awareness issue here. Even today, I run into folks who think just because they have an IDS, IPS or a firewall they're protected on their software application security. The problem is that IDS, IPS and firewall technologies protect at the network, transport layers.

Also, SSL is often confused and believed to protect application software against vulnerabilities. However, it is important to understand that SSL technology establishes an encrypted link between a Web server and a browser. When you are conducting transactions on a site (buying books on Amazon, for example), SSL ensures that all data passed between the web server and browsers remain private and not hijacked by a hacker.

While SSL is a great technology to ensure that consumers' browsers are communicating to the businesses' servers in an encrypted manner, and ensuring that these are legitimate businesses, it doesn't prevent the bad guys from hacking the websites or the web applications through vulnerabilities in Web applications. With over 97 percent of Web applications vulnerable, and over 75 percent of attacks occurring through Web applications (a lot of those sites have SSL), we know there's a major disconnect. It is critical for companies to incorporate Web application security into their security posture because the sensitive data and important information the hackers are after reside in the back end - the application server and the database. If this is unprotected, the hacker can easily get in and retrieve the information through simple tricks (e.g. SQL injection, XSS, CSRF etc.).

MSP Today: How does mobile app development change the corporate security equation?

Venkat: Organizations are increasingly driving functionality to mobile devices today. Developers of mobile applications must understand the capabilities of their chosen development platform(s) as well as understand how to design and build applications to securely take advantage of mobile capabilities without exposing their organizations or application users to threat vectors.

As such, any mobile application development intensifies the corporate security equation in that organizations must take the following steps to ensure these applications are developed and pushed into production without compromising security:

  • Integrate security processes during early stages of the development cycle (concept phase).
  • While gathering requirements for pre-design and app design stage, understand and document security issues and possible control to be incorporated.
  • Perform a detailed security review (often done by security expert) during the pre-design and design phase.
  • Conduct peer reviews to identify and fix security vulnerabilities as the process moves into the application development stage.
  • Test the app thoroughly to ensure it is completely free of security issues. Neatly document all processes and build security test cases, prior to testing the app.
  • During the last stage of deployment, the production team must work in tandem with the security team to ensure complete application security.

MSP Today: How much of your business is custom/corporate software vs. testing legacy and commercial apps?

Venkat: We assess and test all applications - custom, corporate, legacy and commercial apps - as long as they are Web applications, mobile apps and Web services. We offer choice and flexibility for our customers - i.e. on-premise, managed services, self-service SaaS (News - Alert), and a hybrid model so the customer can choose the exact option to meet their business needs.

MSP Today: There are programming tools that try to bake security into software from early on. How is your approach different?

Venkat: We guide companies to bake security into software early on during the SDLC process. Our approach is no different.

MSP Today: Why is a service a good model for this kind of function?

Venkat: A service model (especially Managed Services) takes the burden of maintaining application security off of enterprises. Cenzic's Managed Service offering does that too but also provides enterprises with the most comprehensive solution available today for application security testing and is operated by our seasoned security team. Our managed offering helps lower capital expenditures and operating costs, while also allowing enterprises the assurance they are keeping up with the latest security threats to their business.