CyberRes is a Business Reporter client
Security on its own is not enough. Too little, and organizations are open to critical, potentially existential, threats. But too much and they face the risk of being mired in procedures that erode efficiency, hold back change, waste money, and frustrate workers.
Most organizations recognize that security must be balanced with business imperatives that accelerate innovation and support profitability. But when it comes to application security (AppSec), it can be hard to get this balance right.
AppSec in a connected world
In an increasingly connected and app-dependent world, security practices around application development must play a fundamental role in any cyber-resilience strategy.
A new research report from resilience specialists CyberRes, the 2022 AppSec Trend Report, outlines key application security trends that organizations must address urgently. These include a need to secure the software supply chain, a focus on API security, and the need to apply application security throughout the whole software development lifecycle.
Why is AppSec so important? Because many of the most significant data breaches have involved security flaws in applications, such as the recent Plex media server breach, the Ronin cryptocurrency network breach, and, perhaps most worrying of all, the LastPass password vault breach.
These breaches often happen because of the way apps have been developed. Newly created source code may contain flaws, often because it is being developed within tight deadlines, by organizations that prioritize time and cost over secure coding practices. And because of time constraints, developers use Open Source code which frequently contains vulnerabilities.
In fact, three quarters of web applications have at least one important security issue. Criminals know this, which is why 94 per cent of successful attacks are targeted at applications or the APIs that developers use.
The importance of API security
Application programming interfaces (APIs) are particularly at risk from cyber-criminals. APIs are vital in modern application development. For example, they enable a banking application running on a smartphone to connect to the bank’s back-end services to display the latest account information to the user. Because they are fundamental to so many online services, they are a major target for hackers. Half of all B2B transactions will be conducted through APIs by 2023: this represents an enormous risk across commerce and industry.
Unfortunately, the API ecosystem is complex, which makes it hard to manage. APIs may be already publicly available, they may be developed by a third-party partner (who may or may not be compliant with appropriate standards), or they may be developed internally. They operate at different levels, from the “experience” level, where end-users are interacting with an application, right down to the “system” level where APIs are responsible for the mechanics of an application – for example, connecting databases with AI algorithms. And sometimes they link software operated by two totally separate organizations (a bank and a retailer, perhaps), something that can make the overall solution more vulnerable.
Because of this complexity, ensuring the robust security of applications and APIs is not easy. And this is further complicated by the need to balance security with business requirements.
Balancing security and business imperatives
All organizations have a mission, whether that is making profits or doing social good. Very few are in business simply “to be secure”. Security is not a strategic aim in itself; rather it is something that supports strategic aims. These may include:
- Innovation and market requirements. Robust security governance enables new applications to be developed quickly. People may not buy products just because they are secure. But they will certainly avoid them if they are not Development processes must therefore keep security at their heart, but at the same time maintain the speed required for businesses to go to market quickly and confidently
- Compliance with legal and regulatory requirements. A good application security programme reduces the possibility of litigation, fines or reputational damage caused by the loss of customer or employee data. In addition, in some industries such as financial services, an adequate level of security may be a precondition of doing business
- Flexiblity. Today’s commercial environment is volatile, uncertain andcomplex. Software developers must be able to respond to unexpected change while keeping the code secure. For example, adding a new feature to a service must be done in such a way that the security of the whole service is not compromised. And solutions must be capable of being scaled up or down, as changing commercial circumstances require
- Efficiency. Development costs will always be important. This means that software development must be as efficient as possible, with software able to be deployed easily and without using up unnecessary resources. Automation is a significant driver of efficiency, while vendors who can offer fast and easy on-boarding and flexible deployment models will also be essential
With the right tools and processes, robust security is compatible with these business imperatives, and developers can be empowered to own security and seamlessly integrate it into their coding practices at speed. For this to happen, though, a culture of security testing throughout the development lifecycle must be in place.
AppSec testing
Frequently, software security tools are used to scan for common vulnerabilities in software that has already been deployed. However, this approach is likely to leave the applications vulnerable and means vulnerabilities are more costly to fix when found. A better approach is to find and fix vulnerabilities earlier in the software development lifecycle.
Static application security testing (SAST) should be in place to scan the code of each independent component as it is written. Separately, dynamic application security testing (DAST) should be used to scan web applications as they run, in much the same way that a hacker would.
In addition, attack-surface discovery should be implemented. This involves analysing the endpoints, services (such as cloud and web servers) and other parameters (such as SSL certificates and IP addresses) that could provide entry points for attack vectors.
The adage should be that app security testing should be “everywhere and often”. Developers should be encouraged to become primary drivers when it comes to security testing. Instead of incentivizing them to just get software “out the door”, they should also be given the tools and resources to identify and fix vulnerabilities without significant loss of momentum or an impact on time to release.
Efficient application security testing will take account of the main trends identified in the CyberRes AppSec trendsreport. These include:
- Cloud native AppSec. With multi-cloud infrastructure now the norm, there are specific AppSec requirements for applications running in the cloud. For example, when applications are migrated to the cloud there will be a need to retest them, as attack vectors and data repository dependencies are different
- Security orchestration. Where there are large teams of developers across an organization, they should be empowered with scalable scanning and security solutions. To ensure efficiency, solutions should aggregate, analyze, and report results into a single place—providing visibility into all of the application security initiatives within an organization and delivering a holistic overview of AppSec data for senior executives
- SAST and DAST. Security testing should involve both static (SAST) and dynamic (DAST) testing. SAST helps you find complex problems such as those related to data flow (such as SQL injections). In addition, it speeds up secure code reviews by automating some of the process. In contrast DAST can find different types of issues, working like a hacker and finding exploits in operational environments. And because, like SAST, it is largely automated, DAST can free up your pen testers to focus on more complex testing
The importance of automated application security testing
Companies that use automation are twice as likely to implement security testing on a regular basis. Around a third of organizations (32 per cent) still manually integrate their security tools. This still leaves huge scope for improvement in software development pipelines.
In the other two thirds of organizations, automation is well established. However, security testing protocols are evolving further with the increasing use of artificial intelligence, and specifically machine learning (ML), as the CyberRes research points out.
One way of using ML is to drive the eradication of false positive threat identification, which is such a drain on the energies of security teams. ML will continually learn from past results, getting more and more accurate. It is never perfect of course, and human intervention, initially to train the system and then to validate decisions, is an essential part of any ML programme.
Processes in application development continue to evolve. The pace of change associated with the security testing of apps is also accelerating. Successful application development requires organizations to recognize the need for security risks to be balanced against business imperatives and the requirement for constant innovation. By acting on today’s trends in application security, organizations will be enabled to deliver secure applications, flexibly, cost effectively and at speed.
The CyberRes Fortify security testing tool can help you balance your security and business requirements. Don’t just take our word for it. Check out the Gartner Application Security Testing Magic Quadrant. Or read how the US Air Force’s Chief Security Officer has improved their security posture with Fortify. You can download a free trial of Fortify on Demand here.
Originally published on Business Reporter