Much of the time, particularly in the retail / hospitality space, compliance is driving security efforts.  I tend to have a problem with security via compliance as it tends to result in an approach that is far too narrow for the overall security of the organization.  I understand the importance of PCI compliance and the need to become and remain compliant (obviously), but I also think that the whole cliche, ‘missing the forest for the trees’, applies really well to a security team that is chasing compliance rather than building a comprehensive security program (of which compliance is an important part).

Application security is one of the areas that I have seen thoroughly neglected once compliance requirements like PCI are addressed.  If the application doesn’t deal with card data, it’s ‘out of scope’ so no one ever takes a real hard look at it.  That’s a problem as card data is just the first thing that retail and hospitality companies need to be worried about.  Protecting corporate informaton, trade secrets, personal information of employees, financial data, etc. is also extremely important and may not be addressed by PCI efforts.

Internally developed applications (which may include almost anything - planagram applications, EDI applications, inventory management, data storage/archiving apps, financial reporting, performance dashboarding, etc., etc.) are often critical to success and allow you to execute your unique business model.  Those applications (and others in the future) aren’t going to go away, but they certainly might be providing an entry point for those that are interested in valuable information.  Application security is critical to protecting your environment and its the number one area where we see vulnerabilities when we are brought in to do assessments.

A good percentage of our larger clients understand the risk involved in deploying applications out to a location footprint that may be National or International in scope, but I am still surprised that there are so many companies that really aren’t devoting the appropriate time and resources to application security.  Part of the problem might be that security is not necessarily something that a lot of developers have really been focused on, yet the development team is often asked to address the security of the application and to review their own work.  This is really important, but it’s typically not enough.

Most of the time, the development teams (and this is true for software vendors as well) are understaffed and being pushed to add features and functionality to the application against a schedule that is extremely tight (or completely unrealistic).  The developers are focused on keeping management happy and management is typically happiest when the features that they have requested are built and incorporated into the application.  Makes sense - the additional features are being requested to address a particular business need (or to increase sales in the vendor’s case) and that is going to be a high priority; however, any focus on security tends to waiver in that type of environment.

We also need to consider the fact that a lot of application development is being done either overseas or by contractors that are being brought in-house to work on an application.  These external parties are certainly being vetted for abilities prior to engagement, but, having worked in that industry for a period, I do not believe that ’secure code development’ is typically at the top of the requirements list.

Also, asking anyone (not picking on the development community here) to fully review their own work for something that isn’t part of their core focus is unfair and is not going to be terribly effective over the long-haul.  Independent review is extemely important and, for the purposes of efficiency and management ease, building an overall program addressing application security through training and internal review coupled with independent review of applications (potentially including code review or compiled application assessment) is going to deliver the greatest positive impact on application security.

So there’s my two cents worth on that - application security is something that needs to be looked at beyond the scope of PCI and it needs to be done in a constructive manner with your development group.  I should note that this should never take a ‘gotcha’ approach - this needs to be addressed as something that is going to help your development team deliver an even better solution and will support their efforts.

Application security is the area where we find the most vulnerabilities when engaging with clients and I am completely of the opinion that it is one of the biggest areas of exposure for larger organizations.