SAP CISO: Application Security Still Too Difficult
Many advances in application security have been made over the years, yet building and deploying secure applications remains a challenge for even the most well-heeled of organizations.
Justin Somaini, chief information security officer (CISO) for SAP, says the sheer volume of code coupled with the increased rate at which additional code is being added or updated conspires to make application security the most challenging issue facing IT organizations today.
Despite having access to any number of application security technologies, SAP still discovers about 500 vulnerabilities across the billions of lines of code being created by more than 30,000 developers, Somaini says. Given the size of the SAP portfolio, the security team at SAP is not the only entity looking for those vulnerabilities. Positive Technologies, a provider of IT security software, revealed this week that it once again found more vulnerabilities in SAP software that SAP subsequently has patched.
Compounding the vulnerability discovery and remediation challenge these days, he adds, is the fact that SAP is also now relying more on open-source software. Patches and updates made to open-source software need to be tracked and then vetted. On top of that are all the application dependencies tied to the software update. More disturbing still, it’s difficult to know what back doors might have been included in the software by its original development team, Somaini notes. And organizations of all sizes need to consider when moving to the cloud that 70 percent to 80 percent of all the software being used by a cloud service provider came to them via an open-source project, says Somaini.
Somaini says SAP has tried every approach, from buying static and dynamic code analysis software to developing its own tools, to automate the vulnerability discovery process. But even with that all that effort vulnerabilities can still go undetected, he says. Machine learning algorithms offer hope for the future in terms of identifying vulnerabilities. But in the meantime, application security remains a game of balancing security requirements against the available budget and time to market. Like most businesses, SAP is continually trying to strike a balance between what is a minimally viable new offering for a new application and security. The problem with application security in general is that too many organizations forget to address security issues that were meant to be addressed later.
On the plus side, Somaini says the shift to the cloud is proving to be a boon for application security. Maintaining control over the application means the onus to update applications is on SAP instead of the internal IT organization. That makes it easier for SAP to apply automation to remedy a IT security issue across multiple instances of software versus hoping the customer had the time required to test and then update an application with a patch supplied by SAP, he says.
In addition, Somaini notes that it’s much simpler for a cloud service provider to implement a cryptographic engine that can be invoked as a service via an application programming interface (API) than it is to try and deployment a cryptographic engine on top of every local instance of an application.
But as significant as those advances may be, Somaini says modern application software is based on a digital supply chain that is not always made up of the strongest links possible.