The painful consequences of data leakage are becoming well known: damage to a brand’s reputation, loss of customer trust and confidence, potentially costly litigation, and fines (such as those levied by the GDPR).
To reduce or prevent these organisational threats, firms need to focus on the points where the risk of attack is greatest. An example to provide context: If you had to decide to repair either a broken front door or a small hole in the garden fence, one would hope that no rational homeowner would prioritise the fence hole over the front door repair. However, visually speaking, far too many companies are ignoring this proverbial front door vulnerability.
Cyber-criminals can take advantage of many different attack strategies in order to cause damage. According to new research from Pradeo, 78% of cyber attacks on mobile devices take place within the application layer. Experts from SAP also cite the application layer as the most common attack vector.
Applications are highly complex systems, and as such this high number isn’t so surprising. What is concerning, however, is that the vast majority of firms spend most of their time and budget on network security.
Most every modern business has an online presence today. While software isn’t the core business for many, mobile and web applications form the foundation of many new business opportunities. If these applications aren’t secure, they leave the door open to attack.
To ensure that security measures have been applied throughout all potentially vulnerable areas within a piece of software, organisations must consider three key elements:
Securing these three aspects supports a firm’s efforts to protect sensitive data from misuse and minimises risks of potentially costly software deficiencies.
The real challenge is to implement security measures with regards to people, process, and technology without slowing down the application development and deployment. After all, application security isn’t a one-time security check. It’s a continuous effort to ensure security measures are present and up-to-date with the ever-evolving threat landscape.
Here are 5 best practices to do just that:
Best Practice #1: Eliminate vulnerabilities before software moves into production.
Integrate security measures from the very beginning of the software development lifecycle. This is often referred to as a ‘shift left’ approach, meaning that security will be a consideration from the concept and design phases, through the entire development process, into production. One common concern is that security testing during development slows the time to market. However, this isn’t necessarily the case. Finding and fixing weak points during the development and testing phases is more time-efficient and cost-effective than doing so later in the process.
Best Practice #2: Address security in architecture, design, open source, and third-party components.
Many firms conduct penetration testing against their own systems as the primary means of security testing. This falls short because it doesn’t catch architecture and design flaws which account for half of all security issues. Knowing this, it is important to enact a more comprehensive strategy so that architectural defects, including violations of secure design, authentication failures, and security-related misconfigurations are identified and remediated as early as possible.
This can be carried out with a risk analysis of the application architecture and threat model. Today’s applications contain up to 90% open source and third-party code. These components have become virtually indispensable for application development. Considering that it usually doesn’t make sense from a budgetary standpoint for companies to develop an application from scratch, independently.
Since open source is ubiquitous, and yet is rarely tracked, it has become a key target for hackers. Exploits are available nearly immediately after a security vulnerability surfaces on the internet. Vulnerabilities act as the potential key to hundreds or even thousands of applications containing the affected component. To minimise the risk, it is important to know which components are in use within your code base. A code audit, also known as a software composition analysis, is the first step to understanding the open source components in use within your software.
Best Practice #3: Enable application security measures within the developer environment.
Integrated development environment (IDE) plug-ins allow developers to test the results of security testing directly within the developer environment. This analysis takes place automatically in the background as the developer writes code and delivers results in real-time.
Deciding on the right tooling is also very important. A single AppSec tool isn’t enough, as no one tool can identify applications:
- developed using different languages and frameworks
- hosted in different environments (cloud or on-prem)
- using open source or third-party libraries to varying degrees
- differing in additional critical aspects affecting the results of security testing
Best Practice #4: Build an AppSec tool-belt that brings together the solutions necessary to manage risk.
An effective AppSec tool-belt should include integrated solutions addressing end-to-end application security risks. It should also enable the analysis of vulnerabilities in proprietary code, open source components, and runtime configurations.
Consider the following solutions when strategising your tool-belt:
- Dynamic application security testing (DAST) analyses running applications early in the SDLC.
- Interactive application security testing (IAST) identifies and verifies vulnerabilities and data leaks through the automated testing of running web applications.
- Static application security testing (SAST) identifies and fixes security and quality risks in proprietary code during development.
- Software composition analysis (SCA) helps manage open source security and license compliance risks through automated analytics and policy enforcement.
- Penetration testing focuses on exploratory risk analysis and application logic by identifying and attempting to manipulate vulnerabilities in web applications and services based on a test plan.
Each solution addresses specific types of application security vulnerabilities. Only by combining the appropriate solutions, based on your organization’s needs, can security risks be successfully minimised.
Best Practice #5: Create security concepts that help your development and operations teams implement cloud security best practices.
The primary benefits of application deployment in the cloud include higher agility and lower operating costs. However, going into the data cloud also involves specific risks, in particular the loss of transparency and control over infrastructure and services that affect application security. Failure to understand and address the risks of the cloud environment can endanger sensitive data.
A cloud security assessment should be performed to identify specific security risks to the targeted cloud platform. Once these risks have been fully captured, a roadmap for cloud migration should be created. This ensures that all teams are aligned, and your priorities are clear.
Florian Thurmann is the Director of Software Security Operations at Synopsys