1. Info-Tech Research Group1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2014 Info-Tech Research Group Inc. Optimize Existing Applications for Security in an Untrusted World Inject application security practices into development and maintenance cycles. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2014 Info-Tech Research Group

2. Info-Tech Research Group2 Security is often not a focal point in application development as performance and time to market are viewed as higher priorities. Without embedding key security practices, organizations risk loss of reputation, intellectual property, frustrated end users, and high costs to reactively amend breaches. Introduction Has high risk or unsecured applications. Needs to ensure applications, data, and support infrastructure are not compromised. Needs a project roadmap for securing applications and data in their context. Wants to learn more about secure application practices and common security breaches. Integrate industry standard best practices to build your application development security framework. Realize your security pain points in your current applications and development process and build a framework around these gaps. Rollout and monitor application security initiatives. This Research Is Designed for an Application Development Manager who: This Research Will Help You:

3. Info-Tech Research Group3 Executive Summary Monitor your secure application activities Compare the performance of your secure application activities before and after the rollout with key security metrics. Establish when maintenance needs and security reassessments occur. Identify and fill your security gaps Use data flows, process flows, and log files to assess your applications and pinpoint your security gaps. Assess all available security options. Introduction of application security should be layered. Pivot from your existing strengths and lowest risk tolerance and move forward from there. Trying a complete overhaul is highly disruptive. Realize the risks to your application portfolio Security is becoming increasingly important as apps become more distributed through APIs. Without embedding key security activities in each application of your portfolio, organizations will risk loss of intellectual property, high costs in amending breaches, and frustrated end users. Attacks can happen any time and on any exposed application lasting from a few minutes to several weeks. Left unaddressed, organizations will face compliance conflicts, loss of competitive advantage, and will be open to lawsuits.

4. Info-Tech Research Group4 What’s in this Section:Sections: Make the Case Step 1: Map the Apps at Risk Step 2: Establish a Risk Profile Step 3: Fill Your Security Gaps Step 4: Rollout Secure Applications Step 5: Monitor the Rollout Realize that many organizations suffer from security breaches. See the benefits of introducing secure applications. Use this toolkit to help you improve your alignment with security requirements.

5. Info-Tech Research Group5 Realize the relevance of applications in an untrusted world. Many development organizations are unable to protect themselves from breaches and attacks Attacks are becoming more frequent and sophisticated. This means every single event could be one part of a larger incident that requires a fast and coordinated response. New technologies and the continued expansion of the enterprise environment only mean that the number of breach entry points will increase. Legacy applications and closed source environments may prohibit layered security, increasing the risk profile. 42% increase in targeted attacks in 2012 5,291 new vulnerabilities discovered in 2012 14 zero-day vulnerabilities Threats are increasing by 125,000 a day 91% of organizations have experienced at least one threat in 2011 50% of businesses see cyber threats as a critical risk to their organization 35% have experienced a data loss in 2011 The current threat context *Source: Symantec Highlights from 2013 Internet Security Threat Report and Kaspersky Global IT Risk Report 2012 Application trust models have shifted; in today’s world you can no longer trust third-party unsigned code or applications completely, without initial verification that the data and/or code has not been tampered with during transit, under execution, or at rest. Info-Tech Insight

6. Info-Tech Research Group6 What is the industry saying? “Application security is a growing concern for enterprises.” – Caleb Sima, CTO and co-founder, SPI Dynamics, Inc. “If you spend more on coffee than on Web application security, you will be hacked. What’s more, you deserve to be hacked.” – Richard Clarke, White House Cyber Security Advisor “The reality is that malware is a $100 billion business globally and continues to grow.” – The Top Seven Causes of Major Security Breaches, Kaseya “The majority of companies have yet to implement secure development practices, most often citing time- to-market pressures, funding, and the lack of appropriate technologies suitable for use during development as their primary roadblocks.” – Over Half of Companies Suffered a Web Application Security Breach in the Last 18 Months, Coverity, Inc., 2012 “While most applications suffered high-severity attacks for 12 days during a 6-month period, or once every 15 days, the duration and the number of attack campaigns varied widely, with some web applications under attack virtually every day. Each attack incident could consist of hundreds or even thousands of individual attack requests.” – Imperva Web Application Attack Report, Imperva, 2013

7. Info-Tech Research Group7 Strategically plan your rollout to overcome challenges for maximum benefits. Realize the full benefits of secure applications by proactively addressing the challenges Secure Application Rollout Plan Be careful not to take the benefits of secure applications out of context. You need to make security a priority during scoping and design, but a trade-off with other stakeholder benefits is essential to ensure business objectives remain the top-level focus.

8. Info-Tech Research Group8 Threats are evolving every day and are seen as unforeseeable and diverse. Protecting information has become less about technology and more about contributing to the sustainability of your development process as a whole. Rollout secure application activities to achieve alignment with security obligations Secure applications will help you meet your security obligations: Business alignment ◦ Know your vital information assets ◦ Understand business context and know your business priorities Risk mitigation and asset protection ◦ Understand risk position and protect vital assets ◦ Keep up with threat trends and speed up incident response ◦ Eliminate duplicate efforts and “holes” in security coverage Operational and cost efficiency ◦ Improve capital and operational expenditures Compliance obligation ◦ SOX, Bill198, POPI, PCIDSS, HIPAA, GLBA, etc. ◦ Local and regional privacy mandate ◦ Monitor regulatory compliance and evaluate compliance culture Developing secure applications is a mindset. Implementations of this mindset can vary between various domains ranging from business to technical. This necessitates some type of governance process be in place to address any conflicting security requirements that work independently, but conflict when brought together. Info-Tech Insight

9. Info-Tech Research Group9 Each tab in this tool will help you assess the risk and cost of each security gap in your applications. This tool will be used throughout this toolkit. Use Info-Tech’s Secure Application Rollout Tool to document and track your security related activities See Info-Tech’s Secure Application Rollout Tool.Secure Application Rollout Tool Ensure your evaluation is accurate by including multiple business and IT stakeholders from various departments in the details gathering, evaluation, and discussions. The Secure Application Rollout Tool: Info-Tech Research Group’s Secure Application Rollout Tool can be used to collect information about the alignment of existing applications with the current security framework and the risks caused by security gaps, pain points from existing artifacts, and churn caused by pain points. The Secure Application Rollout Tool will help you: Identify high risk applications and security pain points. Realize the fit of existing security standards on the development process. Rollout security-related activities to fill security gaps and align applications with security standards and compliance.

10. Info-Tech Research Group10 Identify the secure application activities to fill your gaps. Conduct an ROI and impact analysis to determine the best-fit activities. Derive the security gaps from your application data flow, log files, and code structure. Assess each gap against your business and IT security requirements. Calculate the cost of leaving gaps unfilled. Provide stakeholders with a retrospective and final costs of the executed secure application activities. Monitor rollout against metrics and requirements. A prioritized set of secure application activities is defined based on ROI, application value, risk impact, and complexity. Secure application rollout process A successful secure application plan requires ROI analysis, consistent communication, and careful execution to align with business and IT security expectations. Run through this toolkit multiple times to assess and gauge the acceptance and success of the amendments, and to identify the best-fit process. Repeat this assessment every six months to keep pace with today’s rapidly evolving threats. Assess the trend of costs and performance over multiple iterations of this toolkit. How To Use This Toolkit: 1 1 4 4 2 2 Map the Apps at Risk Rollout Secure Applications Fill Your Security Gaps 3 3 Establish a Risk Profile 5 5 Monitor the Rollout

11. Info-Tech Research Group11 Create the entities needed for a successful secure application rollout This toolkit will address many entities that will make the assessment and rollout of secure activities in-depth and effective. Each step of this toolkit will walkthrough the documentation and analysis of seven key entities which will be inputted into Info-Tech’s Secure Application Rollout Tool. Applications Value: Availability & Integration Owner Security Gaps Data Flows Process Flows Log Files Securitization Activities Fixed & Variable Cost Impact Analysis Activity Prioritization Criteria: Value, Security Impact, Complexity, ROI Monitoring & Reporting Rollout Summary Metrics Next Steps Triggers Environment Changes Regulations & Standards Evolving Breaches 1 1 4 4 2 2 3 3 5 5 Map the Apps at Risk Rollout Secure Applications Fill your Security Gaps Establish a Risk Profile Monitor the Rollout Gap Definitions Security Requirement Impact: Business & Technical Cost: People, Process & Technology

12. Info-Tech Research Group12 Info-Tech Research Group Helps IT Professionals To: Sign up for free trial membership to get practical solutions for your IT challenges www.infotech.com Quickly get up to speed with new technologies Make the right technology purchasing decisions – fast Deliver critical IT projects, on time and within budget Manage business expectations Justify IT spending and prove the value of IT Train IT staff and effectively manage an IT department “Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment. - ARCS Commercial Mortgage Co., LP Toll Free: 1-888-670-8889