We cover application security extensively on this blog, but normally we are trying to demystify a specific technology area to help companies understand what to look for in products, and how to differentiate real capabilities from marketing fluff. But in light of recent conversations with large enterprises it has become clear that most of these firms have gaps in their security program, specifically in and around the major enterprise applications which are core to their business. This is surprising because platforms like SAP and Oracle have been in place for over a decade, so you might expect that every facet of security to have some coverage by now. And they are surprised to hear these gaps exist, after thinking their tools and processes provided complete coverage. So we decided to take a look at application platforms and highlight the common deficiencies we see. Here is an except from our paper:
Supply chain management, customer relationship management, enterprise resource management, business analytics, and financial transaction management, are all multi-billion dollar application platforms unto themselves. Every enterprise depends upon them to orchestrate core business functions, spend tens of millions of dollars on software and support. We are beyond explaining why enterprise applications need security to protect these investments – it is well established that insiders and persistent adversaries target these applications. Companies invest heavily in these applications, hardware to run them, and teams to keep them up and running. They perform extensive risk analysis on their business implications and the costs of downtime. And in many cases their security investments are a byproduct of these risk profiles. Application security trends in the 1-2% range of total application investment, so we cannot say large enterprises don’t take security seriously – they spend millions and hire dedicate staff to protect these platforms. That said, their investments are not always optimal – enterprises may bet on solutions with limited effectiveness, without a complete understanding of the available options. It is time for a fresh look.
You can download a PDF directly: SecureEnterpriseApps_FINAL.pdf