Cyber-defence is top of the agenda of many businesses after a year of high profile attacks, but AppSec has to be included in this, writes AJ Thompson, pictured, CCO of the IT consultancy firm Northdoor plc.
With cyber attacks on the rise, cybersecurity has climbed higher on the agenda of businesses throughout the UK. High profile attacks have increased the awareness within businesses and the general public of the seriousness of cybercrime and its potential impact.
The last two years have shown that nations and highly organised and ruthless criminal gangs are attacking businesses and organisations of all sizes. With that in mind businesses are, on the whole, stepping up their efforts to protect data and infrastructure.
One area in which cyber criminals are increasingly looking to exploit are flaws within applications. These often sit at the front-end of a business meaning if there are areas criminals can exploit, businesses are essentially leaving the front-door open, leaving data exposed and vulnerable. The need for businesses to ensure good Application Security (AppSec) throughout the organisations is therefore critical.
In 2022 every company uses some form of software within its day-to-day function. Software is also critical throughout every aspect of our lives, even in areas we do not expect, and yet despite this important role in our day-to-day business and personal lives, applications remain one of the most vulnerable areas within organisations.
Veracode’s State of Software Security report highlights some rather disturbing trends within applications. After studying 130,000 applications, the report found that 76 percent of applications had some form of flaw within it, with 24 percent showing highly severe flaws. This highlights a core issue that resides within most businesses.
However, there are real signs of a growing awareness of the importance of AppSec. Veracode’s SoSS 12 report also showed a 20x increase in the average scan cadence over the past 10 years with an increasingly number of apps being scanned per quarter. So, whilst a large percentage of applications had a flaw within it, companies are now recognising the threat.
Equally encouragingly, the Government is also upping its efforts to identify and counter the threat from application security flaws. In its Government Cyber Security Strategy 2022-2030 the Government is attempting to build increased resilience within public sector cyber security. Two of the key elements within the report are the software security and AppSec highlighting the potential threat to the public sector (and more broadly). The fact that both have such a high profile within the Government’s cyber security priorities is really important and one that the private sector should be taking note of.
Securing applications throughout the software development lifecycle, is critical to protect the entire organisation. Apps are often the ‘front-door’ of businesses, allowing customers and partners to interact with the organisation. Apps are also often available over various networks as well as being connected to the cloud. This increases the vulnerability of an organisation considerably, giving cybercriminals multiple opportunities to gain access.
Much focus of the last year has been on securing the ‘back-door’ as a result of multiple successful high-profile attacks originating with third parties and partners. Whilst companies are more aware of this threat and the importance of gaining a 360-degree view of vulnerabilities, the fact that many are leaving their ‘front-doors’ wide open negates any other efforts to close the back.
Gaining buy-in from the board
Like any business decision involving spend, communicating the benefits and value of AppSec to the board will be critical in justifying the spend. Despite the increasing recognition of AppSec, CISOs and other application security program owners still find themselves in the position of defending application security initiatives.
Demonstrating the effectiveness of your AppSec strategy will depend entirely on the buy-in from your development team. The key here is highlighting the rate at which development teams are taking advantage of APIs to integrate security into their processes and then proving that developers are taking the time to identify and fix flaws. Highlighting this fix rate can also prove where additional training or resource investment is needed.
Highlighting to the board that this is also an ongoing process and not a one-off investment is important to ensure ongoing support. A key metric here is the correlation between security activities early in the development process and the number of security flaws found in the final product.
Updating open source libraries is crucial and yet remains low on the priority list
A report from July 2021 found that 60 percent of businesses reported that they increased the use of open-source software during the previous 12 months.
While there are obviously multiple benefits of moving to an open source software approach, the nature of open source software libraries means that they are constantly changing. What is secure today may not be tomorrow. Therefore, ensuring that developers are constantly updating third-party libraries is crucial to ensure security. Veracode’s research, however, has found that 79 percent of developers never update third-party libraries, leaving businesses potentially exposed to attack.
This is particularly disappointing when one considers that 92 percent of library flaws can be fixed with an update (Veracode State of Software Security – Open Source 2021) and 69 percent of updates are a minor version change or less, meaning very little chance of disruption, but a huge impact on the cyber defence of a business.
Not a one-time fix – adding in a zero-trust approach
The key to successful software security is that it should not be considered a one-time fix. It has to be fully integrated into the entire process of software development, from conception and throughout the life span of the application.
Gaining buy-in from the entire company is crucial if application security policies are going to be successful. Cybercriminals are looking to gain access at every point, anywhere where a vulnerability lies. Alongside an ongoing application security policy, businesses have to adopt a zero-trust approach to all aspects of cybersecurity.
A zero-trust approach is a security framework that requires all users to be continually authenticated, authorised and validated before they are allowed to get near or gain access to data or infrastructure. This reduces the chance of unauthorised access, even when it looks like it is the authorised individual. Taking this holistic approach alongside application security processes, means companies are able to apply layered security to every user, device, application, data base and access point.
The increased recognition, especially at the executive level, of cyber threats facing organisations is very encouraging, as is the growth in the number of apps being scanned by businesses. The key is to ensure that AppSec remains high on the cyber security agenda and to gain buy-in from all levels of the business. Leaving the ‘front-door’ open, whilst securing all other areas is not a long-term nor effective way of securing your business against an increasingly determined and sophisticated cybercriminal.