Application security is a critical element of a company’s defence against cyber-attacks.
An International Data Corporation (IDC) report released last year forecasted that the Enterprise Applications (EA) market is expected to grow to about USD 334 billion by 2025. This would be almost a 40% growth from the USD 241 billion clocked in 2020. (Source: International Data Corporation)
IDC’s report focuses on commercial software revenues. The actual spends are likely to be much higher than the report’s forecast. It doesn’t consider customisation, consulting, system integration, and training expenses.
Another report by Allied Market Research predicted that the EA market will touch USD 527 billion by 2030, growing at a Compounded Annual Growth Rate (CAGR) of 8.2%. (Source: CISION PR Newswire)
The force driving this growth is the increased focus from organisations on Digital Resiliency. This has become an existential issue for companies. In a digital-first world, businesses need to leverage the capabilities of their enterprise application portfolio to adapt to market disruptions. This will enable them to leverage data, gain better insights and drive innovations within their organisational structure. These vast numbers tend to mask that organisations are often leaving themselves open to cyber-attacks in this move towards digital resiliency. There are multiple reasons for this.
As one research showed, more than half of the IT teams surveyed were running their applications in complex legacy stacks, which many don’t understand. It also reported that 45% of IT organisations lacked sufficient full-stack developer skills. (Source: GlobeNewswire)
The increased emphasis on open source-based development of EAs has exacerbated the situation. According to a report in 2021, globally, developers are likely to borrow more than 2.2 trillion open source packages or components from third-party ecosystems(Source: sonatype). The reason for this popularity is simple. Open source development has several advantages regarding costs, time to develop and deploy and versatility.
The crucial questions that organisations need to address are the specific open source libraries, components, and code being used and whether these contain vulnerabilities.
But this is easier said than done because of the sheer volume of open source components and packages available. According to estimates, the top four open source ecosystems contain almost 37.5 million components and packages, and about six million are being released annually.(Source: sonatype)
Aggravating the lack of visibility issue is the fact that in the open source world, developers use libraries that, in turn, rely on other libraries that depend on other libraries (and so on and so on).
Version control and patching are also critical. In 2017, for example, Equifax, a US-based credit bureau, had a breach because of inadequate patching of Apache Struts resulting in the financial data of over 162 million people across three countries being compromised. Equifax had to eventually settle the resultant litigation at the cost of USD575 million. (Source: Wikipedia)
The Equifax data breach occurred because there was a published vulnerability and the hackers scouted around for enterprises that hadn’t patched for it. But in the last few years, attacks on software supply chains have become more sophisticated and sinister. Malicious actors no longer wait for publicly-disclosed vulnerabilities. Instead, they inject new ones into open source projects and then exploit them before they are discovered. Such upstream attackers have stealth and time on their side as the compromised package moves into the code bases of thousands of companies. According to a report, such attacks represented a 650% increase Year-on-Year. (Source: sonatype)
Here are a few best practices to make your EAs secure:
Site Selector
Global
Americas
Asia
Europe
Middle East and Africa