The first security step when it comes to applications? Find them all

Knowing (and patching) the open-source components of applications is a critical security step—as long as you know where your applications are.

Organizations deploy an average of 89 apps, according to a 2022 Businesses at Work survey from identity and access management provider Okta. Companies with 2,000 employees or more deploy 187.

In addition to familiar workplace tools like Microsoft 365, Slack, or Monday, there are ones that employees build quickly to solve their problems. A security pro may write up a script to test controls, or an employee in media may create code to get videos published quickly.

As the application count increases, the index gets increasingly difficult to track—but inventory tools and surveys can help to provide a clearer picture of an organization’s many assets.

“We deal with these larger organizations where the security team may not even be aware of all of the applications that are out in their portfolio,” said Kristen Bell, director of application-security engineering at the IT services firm GuidePoint Security.

Employers see their shadow. In a June 2022 survey conducted by Osterman Research and the app-security platform provider Cerby, 51% of respondent employees and managers continue to use preferred applications, even if their organization prohibits their use.

Some organizations end up with two sets of tools: a defined group of acceptable services and a group that’s more…shadowy.

“What we see is this explosion of unofficial networks of unofficial applications,” said Bill Young, VP and senior cyber strategist at the consultancy Optiv.

The use of hardware or software without IT’s knowledge, also known as “shadow IT,” can lead to undetected, unpatched flaws.

If a third-party module is suddenly deemed vulnerable (think Log4j in 2021), an IT pro needs to know the location of applications before finding the component that needs patching.

Tools like configuration management databases pull in data from an internal environment to maintain consistent inventories. The products, however, don’t do the job on their own and require ongoing effort from IT teams.

“The reality is, if the entire company hasn’t bought into this”—by checking the database regularly and updating information on individual assets, says Young—“then it’s just another piece of software running on the environment that gives you a partial subset of your data.”

Organizations need to know their applications and bridge any knowledge gaps between developers and security—a fact that calls for a conversation between IT and employees if technology options are unavailable, according to Lisa McKee, director of governance risk, compliance, and privacy at the software provider Hudl.

She suggested questions like the following:

• What does your team do?
• What systems and applications do you work with?
• What are the inputs and outputs of data into those systems and applications?

“Students are largely taught how to make an application work, end to end…They’re not taught what…open-source code [is] and the risk that open source code presents. They’re not taught the breadth of, ‘What is inventory and how do we manage that?’” said McKee.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].