Helping clients manage their technology for over 30 years.

Application Security Scanning Can Save Your Business

Magnifying glass photograph

Web and mobile applications are everywhere, often working 24×7. They handle login pages, shopping carts, webmail, support and product request forms, content management systems, and much more.

These apps perform in numerous client-side browser and operating system environments, and can be deployed quickly, just about anywhere, and at little or no cost. Although they may be developed in-house, many are acquired from third parties. More than 90% of enterprises use third-party offerings in their mobile BYOD efforts, according to Gartner. Continue reading

When It Comes to Security, Know Thyself

Data Security & Data Loss Prevention (DLP)

“If you don’t understand the risks, you don’t understand the costs,” security guru Bruce Schneier advised during a TED talk.

He was discussing security in the abstract — but it got me thinking about IT security in particular and the difficulty many executives face trying to determine if their organizations are safe from cyberattack.

The problem is that these conversations nearly always turn technical. Soon, a flurry of technology acronyms — confounding but apparently reassuring — begin flying around the room.

And, reports Schneier, it works. People, he says, will “respond to the feeling of security and not the reality.”

So what can a CEO do to understand the reality of security risk and grasp what the actual cost of security failure might do to the organization?  Continue reading

98% of Apps are Insecure — Here’s How You Can Protect Yours

Mobile phone with password on screen to illustrate mobile security services

Sadly, one can make the argument that if software vendors did a better job of integrating security testing throughout the development lifecycle, our current struggles with application security might be less challenging.

In fact, however, software vendors are late to the party. Their security testing tends to be tacked on to the end of development lifecycles as an afterthought, which may account for one recent study’s startling conclusions that:

  • 98% of applications carry at least one application security risk (and each risk may signal the presence of multiple vulnerabilities)
  • 80% of applications showed more than five risks
  • The average application registered 22.4 risks

Continue reading

Apps, Apps Everywhere — But How Secure Are Yours

Did you know that your applications are the most vulnerable part of your IT operations?

iPhone with lock to symbolize Cloud Security. Cloud in background

These days, problems with apps — many of them web-based apps — account for the majority of information security breaches. Over the last year or so, and going forward, application-level attacks have emerged as the preferred vector for gaining access to sensitive (and valuable) data. What’s more, the threats are becoming increasingly acute as complex web apps, as well as mobile apps, play ever greater roles in our business and personal activities.

App vulnerabilities for sale — cheap at the price? Continue reading

Application vulnerabilities: Closer than you think

graph showing application vulnerabilities. small version has no labels.

Consider: Last year, according to Verizon, 54% of data breaches began as attacks on web applications, and for years one type of attack — SQL injection — has been the means by which 83% of stolen records were extracted. Meanwhile, says Gartner, 25% of all DDOS attacks this year will be application-based, and an increasing portion of these attacks may actually be diversions in which the bad guys use remotely accessible malware to target user accounts (for personal data or, in the case of financial institutions, for money).
Continue reading

CEOs in the Crosshairs

Writing hand in crosshairs

When it comes to security breaches, CEOs stand in the crosshairs. More than their IT staffs, it’s a CEO who’ll take heat for a breach that exposes customer data or endangers relationships with business partners.

So, unlike plenty of other IT issues that don’t require C-level attention, information security ranks right up there alongside financial issues as something with which CEOs need to be familiar. Yes, information security can be daunting, but so are financial statements — and CEOs have to sign off on those.

Where to start? Here are three questions every CEO should be able to answer: Do you know who your security expert is? Do you have a security policy? Do you understand how it’s implemented, managed, enforced, monitored?

Continue reading

How safe are your apps?

Key icon to represent security

A recent report by Forrester Consulting suggests your web applications may be far more vulnerable than you think. According to Forrester, 51% of the 240 North American and European companies surveyed experienced at least one application security incident since the beginning of 2011. And 18% of those suffered losses of at least $500,000. For 8% of those surveyed, losses topped $1 million.

Continue reading

Are the applications you use endangering your business? A look at the solution

Application security scan

Hackers have many ways to exploit even the smallest vulnerabilities in your application environment and too often you’re compromised even before you grasp that there’s a problem.

Fortunately, it doesn’t have to be this way. The solution is an application security scan conducted by a services provider adept at dealing with issues related to application development, support — and, of course, security.

Continue reading

Are the applications you use endangering your business? A look at the problem

application security

With all the security your IT operations (should) have, you’d think this question would be moot — but it isn’t. The applications your business and your employees rely on could be time-bombs poised to destroy your ability to function.

That’s because the vast majority of applications used in business today are connected to the Internet, often in a variety of ways.

Continue reading

Why a SAS 70 Type II audit matters

Since the arrival in 2002 of the Sarbanes-Oxley Act (SOX) as well as other more stringent financial accountability standards, the role of SAS 70 Type II audit and certification has grown. My company takes SAS 70 Type II audits very seriously.

That’s because both SOX and SAS 70 Type II use the same model of controls — so a SAS 70 Type II certification is the best way third parties (like our customers) can be assured of acceptable, SOX-compliant service organization controls.

Developed by the American Institute of Certified Public Accountants (AICPA), SAS 70 Type II audits mean an independent third-party has verified that a service organization’s policies and procedures were correctly designed and operating effectively enough to achieve the specified control objectives.

Continue reading