Why You Need Application Security Testing for Business-Critical Applications: Part 4
Originally published by Onapsis here.
This blog series discusses the importance of building secure business-critical applications with application security testing. In the final blog in this series, we discuss how vulnerabilities in custom code and transports can lead to security and compliance issues.
Reason 4: Understand Potential Issues Regarding Data and Security Audit Compliance
Business-critical applications are used by an enterprise to run the applications at the core of their business. Many of these applications, especially SAP applications, contain information that is subject to specific government and industry regulations–SOX, GDPR, CCPA, and others. Due to the evolving threat landscape and increased risk to business applications, it’s critical that enterprises are able to easily define and implement policies that protect their sensitive data and ensure it meets regulatory standards.
Increased Risk to SAP Applications
Digital transformation has brought about new levels of security concern and risks. Enterprises undergoing this transformation have migrated business-critical applications from their premises to cloud and third-party hosted platforms. These business applications process millions of employee, customer, financial and other sensitive data points each day. This has expanded their cybersecurity risk surface across new cloud, mobile, and next-generation database technologies.
Oftentimes third-party developers and contractors build custom code and transports for these business-critical applications, which can increase risk for the enterprise. Outsourced staff are often given extensive authorizations in order to complete projects quickly, which can present another avenue for security risk. It would be very easy for a malicious insider to hide harmful content or requests within the countless lines of code or settings and tables of a custom transport that would go potentially undetected in the SAP production system.
The pace at which attackers are exploiting vulnerabilities in business-critical applications is also accelerating. Research from Onapsis Research Labs shows that there can be as little as 24 hours between the disclosure of a vulnerability and observable scanning by attackers looking for vulnerable systems; and just 72 hours before a functional exploit is available. Attackers are not only working faster, they are also working smarter. There is conclusive evidence that attackers who have sophisticated knowledge of business-critical applications target and exploit unsecured SAP applications using a variety of tactics, techniques, and procedures--not simply utilizing brute force against the application.
Compliance Frameworks & Regulations
Organizations need to consider business continuity and data loss, but also consider that if a threat actor is able to access these applications and get to the critical data that runs the business, it can break several different compliance regulations.
General Data Protection Regulation (GDPR) provides a legal framework for compliance, affecting global businesses with headquarters both inside and outside Europe. If sensitive data is compromised, the enterprise is required to report the amount and type of data breached, and how they propose to address the breach–including any mitigation efforts–all within 72 hours. The potential fines for violating GDPR are substantial: up to €20 million or 4% of an organization’s global revenue, whichever is greater.
The Sarbanes-Oxley Act (SOX) requires publicly-traded companies to maintain adequate internal controls over financial reporting. An unauthenticated attack targeting a misconfiguration or vulnerability in business applications could let hackers manipulate underlying financial data without touching financial applications or leaving an audit trail, violating ICFR and SOX.
Defense Federal Acquisition Regulation Supplement (DFARS) requires that all defense contractors maintain adequate security safeguards for any “controlled unclassified information” (CUI) that either is stored in or transits through the contractor’s systems. A contractor that fails to meet DFARS standards can be barred from bidding on government contracts, lose contracts it currently has, or even face civil and criminal penalties in court.
Foreign Corrupt Practices Act (FCPA) is the foremost corporate anti-bribery statute in the world. The ability to create a false trail of transaction records—sales policies bent to generate slush funds, accounting policies abused to fund bribes, payment records altered to hide true recipients—is what allows corrupt payments to flow. Strong cybersecurity thwarts that manipulation. It is vital that any cybersecurity strategy addresses threats at the application layer to mitigate the risk of a company being vulnerable to accounting fraud, regardless of other security measures such as firewalls access control, and segregation of duties (SoD).
The Business Impact of Violating Compliance Regulations
Violating compliance regulations can lead to fines, business disruption, productivity and revenue loss, and reputation damage that can have long-lasting consequences. Downtime from exploited vulnerabilities in applications and custom code can cost millions of dollars. In 2020, the average cost from lost business due to a data breach was $1.5 million. Successfully exploiting a vulnerable system allows an attacker to execute a wide range of malicious activities–from impacting supply chains and manufacturing processes to redirecting financial payments to compromising highly sensitive data–most of which is subject to compliance regulations. Negative media coverage of data mishandling which often leads to compliance violations and fines can also damage customer confidence. Enforcing security and compliance standards throughout the application development lifecycle is the best way to avoid this fallout from security incidents of this nature.
For more information, download our whitepaper.
 Ponemon Cost of a Data Breach Report 2020
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.