VP of Strategy at WhiteHat Security, an NTT company. Responsible for establishing and leading corporate strategy & business development.
In 2019, Satya Nadella, the CEO of Microsoft, delivered a now-famous quote: “Every company is a software company.” Over the past year, that statement has become more relevant than ever as more companies worldwide conduct business through web and mobile applications to maneuver the disruptions caused by mandatory quarantine and social distancing regulations. At the start of the pandemic, companies were forced to transition their operations and digitize their services to be more software-oriented. Today, every company that we interact with daily is an online business — in some form — and served through web and mobile applications.
An example of this sudden shift in business became apparent when the service light appeared on my car’s dashboard. Instead of driving to the mechanic, I was prompted to leave my car in my driveway for contactless repair and service. Using mobile applications, the mechanic unlocked my car, completed the service and charged my credit card without face-to-face contact. The pandemic has simplified and reduced even the most human-oriented tasks, but at what cost?
Companies now face an even greater risk than the virus: the ever-expanding attacks of the web, mobile and API applications driving our economy and the threat of security breaches through these applications. In the 2020 Global Threat Intelligence Report from NTT, client data showed (download required) over half — 55% — of attacks in 2019 involved web-application or application-specific attacks. This figure is up 32% from 2018. The risk in 2020 grew even more as organizations increased web presence in the midst of Covid-19. With more use of portals for customers, e-commerce sites and supported web applications, the risk of exposure to cybercriminals grew.
Apps Are Key To Partnerships — But AppSec Is One Of The Biggest Risks
From a business development perspective, any company’s goal is to increase market share, gain control of an industry segment or adjacent market, or secure a merger or acquisition. Often, companies partner with other companies to create a profitable business or to improve or strengthen their market standing to accomplish these goals. Still, many do not consider the risk that is involved.
Traditional business risks come from inheriting a partner. Contemporary business risks come from inheriting a partner’s applications. In the new world of digital-only business, business development leaders must consider the application security (AppSec) risk posed by partnering with another company due to the threat of reputational or financial loss that can be a potential risk due to exposure by association.
In a report commissioned by my company along with parent company, NTT, we found at least 50% of applications in industries such as manufacturing, public services, healthcare, retail, education and utilities are vulnerable due to one or more serious exploitable vulnerabilities. Once an application is breached, customer, personal and financial information is leaked, leading to significant consequences. Companies must take on the responsibility to be diligent in selecting business partners with established best practices for application security to ensure both parties involved are secure and prepared.
API Integrations Simplify Partnerships, But Can Greatly Increase Risk
In any partnership or merger and acquisition activity, organizations reach a stage where they need API integrations to sync data, enhance productivity and grow revenue. While API delivery creates efficiency and innovation, APIs inherently lack security, making them prone to application security risk. Integration issues have simplified due to progress around the sophistication and standardization of APIs. Still, API security’s ongoing complexity resulted in the Open Web Application Security Project adding “sensitive data exposure” from web applications and APIs to the OWASP Top Ten list of application vulnerabilities in 2020. When two companies decide to integrate their applications, they should explicitly account for the risks both companies inherit — which are posed by insecurities in each other’s applications.
Taking Ownership Of Application Security Is The Responsible Thing To Do
If you are an organization looking to partner with other companies, API, web and mobile applications must be tested for security to avoid consequential loss due to security vulnerabilities on the part of a strategic partner. Similar to how we view the spreading virus, it is possible to unintentionally infect your friend or your organizational partner if you do not take the necessary precautionary steps of testing and protecting your applications. Prioritize the requirement for application security assessment with your partners when you are executing on your growth strategy with them.
Forbes Business Development Council is an invitation-only community for sales and biz dev executives. Do I qualify?
VP of Strategy at WhiteHat Security, an NTT company. Responsible for establishing and leading corporate strategy & business development. Read Setu Kulkarni’s full