By: Ian Hall, Head of Client Services, APAC, Synopsys Software Integrity Group
No organisation wants to be susceptible to cyber-attacks that can compromise sensitive customer, employee, and business data. By now, the consequences of data breaches are both familiar and painful: brand damage, loss of customer confidence, potentially costly litigation, and regulatory fines.
To eliminate your threats, or at least reduce them, your primary focus has to be on where the risk is greatest. If forced to choose between repairing a front door that’s been smashed in or a small hole in the backyard fence, no sane homeowner would opt for the fence. Unfortunately, when it comes to cyber threats, too many organisations are figuratively focused on the fence and ignoring the smashed-in door.
It’s true that for most organisations, software isn’t their core business. However, every modern enterprise — from retail to finance, healthcare, manufacturing, automotive, and more — has an online presence. Mobile and web applications enable their businesses — and those applications are built with, and run by, software. They operate both outside and across whatever security perimeter exists. Obviously, if they’re not secure, they put an enterprise at risk.
If you lead a modern enterprise, the mobile and web applications you create represent the figurative smashed-in door that threatens your business. To fix the door, you need to address application security holistically, across people, process, and technology, and throughout the software development life cycle (SDLC). Understandably, in a hyper-competitive world, you want to do that without slowing application development or making the process too complex. That’s a challenge, but it can be done.
Here are the best practices you can follow to protect your sensitive data and minimise risk:
Address the No. 1 attack vector—your applications
Enterprise applications, which are mostly web and mobile, are the new perimeters of your organisation. Since they operate outside and through the firewall, network security protections alone aren’t enough. You must:
- Employ an accurate catalogue of your applications and understand the different risk profiles of those applications. Without knowing what you have, you won’t know what you need to protect!
- Eliminate vulnerabilities before applications go into production. Secure the applications themselves.
- Security does not stop once applications are in production, monitoring should be in place for new vulnerabilities and the ability to quickly fix and re-deploy in a timely manner is important.
- Address security in architecture, design, open source and third-party components. If you’re only checking for bugs in your proprietary code or running penetration tests against your system, you’re likely missing a substantial number of the vulnerabilities in your software. Building security in right from the design phase will prevent them from being introduced in the first place.
- Adopt security tools that integrate into the developer’s environment. One way to do this is with an IDE (integrated development environment) plugin, which lets developers see the results of security tests directly in the IDE as they work on their code. That analysis happens automatically as the developer works, delivering results in near real time. By delivering these results quickly, ensuring minimal friction in the development process, you can achieve DevSecOps as so many organizations strive to do.
Put the right tools in place
You don’t build a house (or fix a door) with just a hammer. Such a project involves a variety of materials, tasks, and requirements. Using a single tool definitely won’t get the job done and may do more damage than good. Similarly, no single AppSec tool does it all.
Strengthening your application security requires multiple analysis tools, all of which must work within your team’s environment to maximise productivity while enabling you to minimise the risk of vulnerabilities ending up in the final product. You can look into:
- Building an “AppSec toolbelt” that brings together the solutions needed to address your risks. An effective toolbelt should include integrated solutions that address application security risks end-to-end, providing analysis of vulnerabilities in proprietary code, open source components, and runtime configuration and behaviour.
- Analyse and understand your application security risk profile so you can focus your efforts. Knowing what’s important requires a team of experienced security experts to analyse an application portfolio quickly and effectively. Every organisation also has limited time and budget so focusing on the most important areas is vitally important.
Ensure your team has sufficient skills and resource
Customers and users care about the timely delivery of application features and functionality. But given the potential for loss of privacy, identity theft, and financial damages from vulnerabilities, they care even more about security. That creates a problem for many organisations because the growth in their application portfolio has exceeded their application security capacity. Close the gap between your application security needs and resources by:
- Developing a program to raise the level of AppSec competency in your organisation. Set objectives, outlining a clear strategy, and clarifying the resources you’ll need to get there. Be sure you’re focusing on the actions that will have the biggest positive impact on your software security program at the least possible cost.
- Provide your staff with sufficient training in AppSec risks and skills. High-quality training solutions can help security teams raise the level of application security skills in their organisations.
- Augment internal staff to address skill and resource gaps. Find a trusted partner that can provide on-demand expert testing, optimise resource allocation, and cost-effectively ensure complete testing coverage of your portfolio. You may even explore professional services to help you solve a wide variety of software security initiative challenges.
- Monitor your AppSec training program’s effectiveness. Providing training is not the final solution – there needs to be a feedback loop. By monitoring what vulnerabilities are being introduced by developers you can identify how to tune the training program and address those.
Address changing AppSec risks when moving to the cloud
If you’re like most development and operations teams, you’re highly motivated to move application deployment and operations to the public cloud for its obvious advantages: increased agility and reduced operating costs. However, such a move also comes with well-known risks: loss of visibility and control over the infrastructure and services that affect application security. If teams don’t understand and address the risks of the cloud environment, it can lead to breaches and data loss.
Therefore, if you’re planning to migrate existing applications to the cloud or building new applications to deploy in the cloud, you also need to plan for the unique security risks of the cloud.
- Make sure you understand your cloud security provider’s risks and controls. It’s essential that your security, development, and operations teams know how to handle the new security risks that emerge as you migrate to the cloud. Start with a cloud security assessment that identifies specific security risks and opportunities associated with a target cloud platform.
- Develop a structured plan to coordinate security initiative improvements with cloud migration. Once you fully understand the risks, you can create a roadmap for your cloud migration to ensure all teams are in alignment and your priorities are clear.
- Establish security blueprints outlining cloud security best practices. Security blueprints lay out your cloud migration’s architectural structure with baseline security controls. They can help guide development teams and systems integrators in building and deploying cloud applications more securely.
The bottom line
Application security is not a one-time event. It’s a continuous journey. To do it effectively means building security into your SDLC without slowing down delivery times. Following some or more of the best practices described above will get you headed in the right direction.