Nothing is more important than the security of business-critical applications. In the event of a breach, data gets into unauthorized hands, companies’ reputation suffers and disappointed customers switch to competitors. Unfortunately, companies often do not take the necessary security measures.

There are six misleading, widespread myths that jeopardize the application security of many businesses.

Myth 1: Cyber criminals are attacking infrastructure rather than applications

Unfortunately, this myth is a common misconception. NTT’s Global Threat Intelligence Report (GTIR) shows that more than 50% of all attacks happen at the application layer, which is not protected by classic firewalls. On an infrastructure level, critical business applications should be protected with an application firewall that controls input and output and access to external services and blocks them if they do not comply with policy.

But much more important today, application security starts with the development of the application. Developers must follow common security standards and best practices to avoid producing insecure code. In the entire application lifecycle, timely patch management plays also a very important role (compare Myth 5).

Myth 2: Penetration tests are enough

Most application owners believe that a successful penetration test almost guarantees the security of an application. This is sometimes true for simple apps, but enterprise applications are much more complex – containing a lot of business and process logic – and cannot be assessed entirely by just doing penetration tests. Development, staging or release processes in which several business units are involved should therefore implement additional security measures. NTT recommends implementing a software development lifecycle (like OpenSAMM, or BSIMM) covering also security testing during development and operations and helping companies set up a security strategy for business-critical applications.

Special attention is required for internally-developed applications like extensions for SAP systems. Today, more than 70% of SAP functionality is programmed by customers themselves. The security measures set up with the help of maturity models such as OpenSAMM are particularly important for proprietary software for which the customer is personally responsible.

Myth 3: Security tools are all the team needs

Many companies rely too heavily on their security tools, such as patching or configuration management. In today’s application landscape we can see more and more open communication. Everything in IT is “talking” with everything. Compared with that; individual business units, however, communicate still too little with each other focusing on their own tools not integrated into a holistic IT security strategy. Security experts – who are committed to such a holistic security strategy – should sit at the table with each new launch and every important decision.

Myth 4: Cybersecurity is the IT team’s problem

45% of business decision makers think that cybersecurity is the IT department’s problem, and not the wider business, according to our Risk:Value Report conducted earlier this year. This is concerning, as any employee could be a point of entry into the organization by a cyber criminal. Therefore, it is important to create an awareness of risk through regular training with employees and to inform about the current attack vectors. Training does not stop cyber criminals accessing sensitive data through social engineering techniques such as personalized phishing mails, but it establishes greater barriers for them.

Myth 5: Patching can cause a major impact on businesses’ uptime

On average, vulnerable, unpatched applications are on the net for several hundred days, when vulnerabilities are known and cyber criminals could launch an attack at any time. The biggest security weakness for applications is unpatched libraries, according to the Application Security Statistics Report 2018 (Vol. 13) by WhiteHat Security. One reason for the lack of patching is the widespread misconception in many companies that IT systems may undergo excessive downtime and the company will lose a lot of money during that.

This assumption is usually incorrect. When implementing a patching strategy that fits the company’s application landscape, including a risk classification for each of them, patching will only cause a short-term shutdown of individual components. Other options could be applying patching during regular maintenance windows or overnight when most of the applications are not heavily used.

Myth 6: If you're hacked, there's nothing left to do

In the case of an attack, companies should definitely keep calm and avoid further damage that could be caused by unreasonable short-term reactions.

Take for example a company that pulled the power plug after an attack and consequently destroyed the hard disk controllers. It was no longer possible for the forensic scientists to reconstruct the attack and subsequently identify the attack vectors.

Instead, the goal should be to collect as much evidence and data as possible and to seek the help of professional security experts as quickly as possible.

Furthermore, establishing an incident response plan in advance will be of significant help and guidance in the event of a security incident.