Fact or Fiction: Business-Critical Application Security Edition

As business-critical application security experts (SAP, SFDC, Oracle), we know the many tales and misconceptions surrounding the current threat landscape. Let’s take a look at some common misconceptions around business-critical application security and use these insights to help make better decisions to keep your organization secure.

My business-critical systems are deep inside my network, so therefore they are safe.

Over the years, we’ve seen many presentations using the castle analogy to illustrate security, with a moat, thick external walls and an inner key to illustrate an in-depth defense strategy. The mindset: your most valuable assets are safe inside your network and there is no way someone on the outside could ever navigate their way in, right?

Fast forward to today:

  • Third party vendors have VPN access to your network allowing them to maintain their software
  • Users in network have broad access to the internet, exposing them to accidentally download malicious code
  • Hackers have access to thousands of hours of content on how to hack critical systems and open source tools to deploy exploits

The truth is, due to advances in tunneling technologies and new techniques, the concept of a perimeter has dissolved. Firewalls are still critically important, but you cannot rely on them to protect your most mission-critical data. Hackers are sophisticated and the attack surface for mission-critical applications is expanding. 

My business-critical systems are specialized, no external person could understand them enough to exploit them.

This could have been true in the past, but today that scarcity of information does not exist with the rise of the internet. Cloud services provide not only the resources and capacity to spin up different systems for learning and testing, but offer templates of large amounts of different mission-critical applications. 

Over the last decade, enterprises have invested in teams and technologies to try and find outsiders in the network—so the time an attacker can expect to spend in a network before detection and expulsion is reduced. The role of a security program is not just to implement technology to prevent breaches but to implement technology that will detect breaches and intruders as soon as possible while also having a program in place to react and neutralize the intrusion.

Modern buildings are made with flame retardant material, but they still have sprinklers installed. Modern security teams should implement programs (sprinklers) to reduce the likelihood of a breach to as close to zero as possible. It’s also important to note that over time the likelihood of a breach is more and more likely to occur and having detection and response technology in place to react is essential.

Applying patches regularly is enough for keeping my applications secure.

It is a well-known fact security-related defects sometimes make it all the way to released commercial software. All major vendors issue periodic patches to remediate these defects. Enterprise security teams are tasked with tracking these patches and applying them to affected systems. For these teams, it is a significant burden to keep up with the sheer volume of updates released, analyzing the impact and prioritizing the sequencing of the patches. This is before the actual change management and the application of the patches themselves. 

Given this landscape sometimes the patch rollout schedules can be protracted providing a window for threat actors to exploit these known vulnerabilities. In fact we have observed exploits in SAP applications being created within 72 hours of a CVE (and corresponding patch) being disclosed. Responding within this time frame can be extremely challenging for defender teams especially for mission-critical systems where uptime is critical for continued operation of the business. 

It is also important to understand an aggressive patching program is necessary for effective application security, but is not sufficient. Enterprise software can have hundreds of settings and configurations that can affect security and access to data. If these configurations are lax or misadjusted, they could provide an entry point to threat actors. Configurations are not “set-it-and-forget-it”. Multiple changes are made to these configurations by administrators over time and it becomes important to continuously monitor for configuration changes and drifts over time. 

Another vector that is not covered by patches is custom extensions of functionality implemented by the enterprise. Almost every mission critical application and platform can be extended by programming its native environment (ABAP for SAP, APEX for Salesforce etc.). This added functionality is also an additional attack surface that is subject to the same threats as the out-of-the-box software. 

CISOs should think about a comprehensive application security program that extends beyond patching into configuration as well as custom code. Continuous threat monitoring for exploits including pre-zero day coverage can play a very critical role when remediation may take longer. 

Can’t get enough? We’re partnering with co-host and executive producer of Discovery Channel’s Mythbusters, Adam Savage. Join Adam Savage & Onapsis for a live Q&A session where we’ll break down the most common security myths out there. Register now for our June 24 event!