Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/6/2012
12:25 PM
50%
50%

5 Steps To Stronger SMB Application Security

How one never-breached, midmarket retailer avoids the too-small-to-be-secure mindset in favor of Fortune 500-grade threat prevention.

9 Startups To Watch In 2012
9 Startups To Watch In 2012
(click image for larger view and for slideshow)
Small and midsize businesses (SMBs) have a litany of excuses at their disposal for spotty security practices, with slim budgets and IT departments leading the list. Those two, in particular, are valid reasons. You can either cave to them, or secure your company's assets anyway.

Bob's Stores chose the latter for its approach to application security. The midsize, regional retail chain employs roughly 650 people; suffice it to say the lion's share of the staff works on something other than application security.

"IT is very light," said Yaron Baitch, director of IT and information security at Bob's Stores. In an interview, Baitch outlined how Bob's Stores ensures top-notch security for both its internal employee and external customer applications, in spite of limited resources.

[ The new Internet protocol is coming--are you ready? See 3 Ways For SMBs To Plug IPv6 Security Holes. ]

He shared a panel on the topic last week at the RSA Security Conference. It's a fairly straightforward recipe grounded in an organizational understanding that the company's bottom-line health is at stake. And it works: Bob's Stores has never had a breach. Baitch half-jokes that acknowledging this fact makes his company a juicier target for hackers. Dark humor aside, that speaks to a basic security mistake many SMBs still make: Thinking no one would bother with their "small" business.

Here's how Bob's Stores sidesteps that myth in favor of secure applications.

1. Security Is A State Of Mind
That basic level of awareness is a must--not just for IT, but for each and every person in the organization, regardless of their job description. This is the step that sounds easy, yet gets bypassed on a regular basis. "Security is everybody's responsibility," Baitch said. That mindset should extend to vendor-built applications, too; Baitch points out that if there's a security breach, your customers will associate it with your brand, not with a backend developer. "Making sure everyone's playing on the same page is critical," Baitch said.

2. Let Your Pain Points Make Your Business Case
Baitch considers it good fortune that his company must adhere to Payment Card Industry (PCI) standards. I'll repeat that: Baitch is glad he has to deal with PCI, even though he doesn't have the compliance budget of much larger retailers that operate under the exact same rules. He's not insane; he's pragmatic. PCI essentially makes Baitch's business case for him when he explains the importance of security to executives and other stakeholders. If your company contends with heavy compliance burdens, use those to prove your security case to the rest of the business. Still, Baitch acknowledges it's not always easy. Negotiation with the business is key--if you aren't so "fortunate" to deal with a regulatory quagmire, come up with a different set of reasons and priorities that non-technical people can understand and buy into.

3. Know Your Strengths And Weaknesses
Don't shy away from your natural limits. You don't have Google's gazillions; you can't spend your way past every business challenge. Boo-hoo: Double-down on your strengths and shine an equal spotlight on the skills that are lacking. Doing so will help you identify where it makes sense to allocate your finite budget. An example: Baitch is "thoroughly impressed" by his small internal development team and credits them with excellent custom-built applications. But ensuring that each line of the code behind those applications is secure isn't necessarily a strong suit. "They don't have the holistic view of security in mind," Baitch said. So Bob's Stores enlists a third party, Veracode, to test its applications for potential security holes.

4. Outsource Your Weaknesses
If Baitch had to start over, one thing he'd do differently would be to embrace outside help earlier. It can run counter to the do-it-yourself ethos common among many SMBs. It can also require letting go of some ego. But outsourcing your skill shortages can turn them into strengths. "Leveraging third-party tools from the beginning would probably be the number one thing I would have changed, as opposed to having a learn-on-the-job type thing for developers," Baitch said.

5. Know Your Endgame
Baitch is quick to point out that no two companies are quite alike. Therefore, there's no set of security goals that can be applied uniformly to every SMB. Define what you need to secure and why--then pursue those goals with gusto. PCI compliance was the headliner for Bob's Stores. Your SMB's list might look entirely different. Having clear goals helps reinforce step one--that organizational mindset that understands there are a real reasons for doing X, Y, and Z, rather than considering those variable practices a waste of time. "The endgame has to have everyone on the same page," Baitch said. "It's your job to implement. How you implement is completely up to you, as long as you meet that end result."

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In our Cloud Security report, we explain the risks and guide you in setting appropriate cloud security policies, processes, and controls. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
3/15/2012 | 1:57:17 AM
re: 5 Steps To Stronger SMB Application Security
Number 4 is good one. Sometimes it can be cost-effective and smart to get some help.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.