By now, the potential consequences of data breaches are both familiar and painful: brand damage, loss of customer confidence, potentially costly litigation, and regulatory fines.
To reduce those threats, organisations should focus on the greatest risks to the security of their data. No sane homeowner would fix a small hole in the backyard fence before replacing a smashed-in front door. Unfortunately, when it comes to cyber threats, too many organisations are figurately focussed on the fence, ignoring the smashed-in door.
According to SAP, 84 per cent of cyber attacks happen on the application layer, making it the number one attack surface for hackers. Yet, where do organisations spend the most time and money? On network security.
To protect sensitive data, and to minimise the risk from security defects in the software that runs their applications, organisations need to focus on the figurative smashed door and address application security holistically. Here’s how.
1) Eliminate vulnerabilities before applications go into production
Contrary to common perception, security testing throughout development doesn’t slow the process down. Making security part of the SDLC from beginning to end – design through production – actually makes finding and fixing vulnerabilities more efficient and far less expensive than doing so when an application is already in production.
2) Address security in architecture, design, open source, and third-party components
Design flaws account for 50 per cent of security vulnerabilities, so organisations should use risk analysis and threat modelling to identify design defects, security omissions, control misconfigurations, weaknesses, and misuse. Moreover, more than 90 per cent of today’s applications contain open source components, for which exploits become available almost immediately after a vulnerability becomes public. This provides hackers with the key to thousands of applications. Software Composition Analysis (SCA) can help identify open-source and other third-party code, which means you can more effectively manage those risks. You can’t protect what you don’t know you have.
3) Adopt security tools that integrate into the developer’s environment
One way to do this is with an IDE (integrated development environment) plugin, which lets developers see the results of security tests as they work on their code, in near real time.
4) Assemble an ‘AppSec toolbelt’ that bring together the solutions needed to address your risks
No single tool or solution can eliminate your risk. To reduce it, you need an AppSec version of a builder’s toolbelt that brings together the multiple the solutions you need to address your risks. Some of the tools you should consider for your toolbelt are:
- DAST (dynamic application security testing): tests running applications early in the SDLC
- IAST (interactive application security testing): helps identify and verify vulnerabilities and sensitive data leakage with automated testing of running applications
- SAST (static application security testing): helps find and fix security and quality weaknesses in proprietary code as it’s being developed
- SCA: manages open-source security and license compliance risks through automated analysis and policy enforcement
- Pen testing: focuses on exploratory risk analysis and business logic by finding vulnerabilities in web applications and services and trying to exploit them at the end of development, so they can be fixed before production
5) Analyse your application security risk profile so you can focus your efforts
This can be done through threat modelling, which analyses the specific types of attacks an application is likely to face. Meanwhile, architecture risk analysis (ARA) can ensure that architecture and design flaws don’t make the application easier to hack. Finally, red teaming can help you identify immediately exploitable security holes across the entire attack surface.
6) Develop a programme to raise the level of AppSec competency in your organisation
Planning is key. Organisations should set objectives, outline a clear strategy and clarify the resources they will need to improve their AppSec.
7) Provide your staff with sufficient training in AppSec risks and skills
You can do this through eLearning, which allows staff to learn at their own pace, or by investing in Instructor-led training (ILT), which can be done via live online forum or on-premises.
8) Augment internal staff to address skill and resource gaps
Find a trusted partner that can provide on-demand expert testing, optimise resource allocation, and cost-effectively ensure complete testing coverage of your portfolio.
9) Understand your cloud security provider’s risk and controls
Security, development and operations teams need to know how to handle the risks that emerge as you migrate to the cloud. Start with a cloud security assessment to identify specific risks and opportunities associated with a target cloud platform.
10) Develop a plan to coordinate security improvements with cloud migration
After identifying the risks, a roadmap for cloud migration ensures all teams are in alignment and priorities are clear.
11) Establish security blueprints outlining cloud security best practices
Security blueprints lay out your cloud migration’s architectural structure with baseline security controls. They can help guide development teams and systems integrators in building and deploying cloud applications more securely.
Application security is not a one-time event. It’s a continuous journey. To do it effectively means building security into your SDLC without slowing down delivery times. Following the best practices described above will get you headed in the right direction… and ensure that your smashed-in door is secured and attack-proof.
Taylor Armerding, security strategist, Synopsys
Image Credit: Wright Studio / Shutterstock