Romain Lecoeuvre, CTO of YesWeHack, discusses how organisations can mitigate an influx of vulnerable applications
Ensuring that application vulnerabilities are mitigated is key to protecting data, now and in the future.
Software development is crucial for any modern business. From improving client experiences to bringing feature-rich and innovative products to market, the need to build secure applications has never been more important. Yet, with DevOps teams needing to build and deploy applications faster than ever before to meet growing business demands, an epidemic of vulnerable applications has emerged.
According to market research firm Osterman, 81% of developers admit to knowingly releasing vulnerable applications. Another study from open-source security provider WhiteSource, meanwhile, found 73% of developers are forced to cut corners and sacrifice security over speed. Clearly, a cycle of application insecurity exists, and it is crucial to understand how this has been caused. In doing so, organisations can remediate any application insecurity – minimising the risk of malicious attacks causing detrimental consequences to the business.
The principal reasons for the cycle of insecurity
There are several factors at play causing security to be a low priority during the application development phase, creating an insecure environment from the start.
A key one is the lack of time and appropriate tools for development teams during the design and maintenance phases. This is reflected in the priority given to functionality before any consideration of security or even maintainability takes place – predominantly due to the pressure of getting an application to market as quickly as possible.
Development times also tend to be much longer due to factors such as the need to add in several new functionalities to an application at later stages. Consequently, this not only has the effect of compromising the whole testing and quality aspect of an application but also its security too, due to security not being implemented throughout the application lifecycle.
Then there are the technical choices that are made in the design and architecture phases. Here we find that organisations typically overlook or do not consider the importance of the security level of a solution or the team’s expertise to secure it.
Businesses can no longer treat security as a bolt-on to software application projects. Organisations must place the same emphasis on strong security as on speed and encourage its embedding throughout the software production cycle to avoid producing gaps that could prove costly.
Storing up success for hybrid cloud applications
Recent global events have reshaped how enterprises of all types create, store and process their data. Supervising this gets complicated but hybrid cloud can help streamline data management and enhance business performance, explains Thomas Harrer, CTO at IBM IT Infrastructure/Servers & Storage (EMEA). Read here
Security awareness stills remains an issue
The fundamental root cause of application insecurities can be attributed to the fact that security awareness training for developers is virtually non-existent. Developers do not willingly deploy applications in the hope that exploits are never found. Instead, there still exists a lack of exposure and experience that plays a part in them not understanding the actual severity of some of the vulnerabilities.
At the same time, there is a global shortage of experienced developers, as evidenced, by the fact that vacancies for application development security developers are set to grow 164% in the next five years. Finding an experienced developer with a rounded skillset is like finding a needle in a haystack. As a result, for businesses, there is more economic value in investing in the training of developers in cyber security to build their competence at secure development methods, linked to their business.
In essence, there are two major ways to distinguish how vulnerabilities are caused – through technical vulnerabilities and business logic flaws. The former can be managed or prevented via the hardening of the development frameworks, which is impacted by constant technological evolution. Whereas the latter is tied to the nature of the business the organisation runs and cannot be protected against by default using a development framework.
It’s for this reason that businesses must train their developers not only in generic security – and the appropriate usage of the secure development framework the company runs – but also on business logic flaws. Naturally, these will be different for every business dependent on the operation it carries out.
Our research shows that in terms of types of vulnerabilities detected, the evolution of technologies has led to a slight but upward trajectory of business logic flaws (e.g., secure design) while seeing a reduction in the number of technical vulnerabilities (e.g., input issues). This trend will only grow in the coming years as the hardening of the development frameworks continues.
Making training a priority
Organisations must give more time and resources to the development teams while also training them to build secure applications. This will lead to teams being more confident and proactive in integrating a security dimension into their projects.
Crucial to this is implementing processes that encourage cyber security best practices. This will provide the missing link between the security and technical divisions and ensure the application’s security component is addressed the same way its quality assurance is assessed. It also allows for security to be directly integrated into the software development life cycle (SDLC), making applications more secure from the get-go.
How to boost internal cyber security training
This article will explore how organisations can boost their cyber security training initiatives to ensure staff are sufficiently equipped with the right skills. Read here
Becoming a security champion
To further change the status quo and eliminate security gaps in application development, security must involve all teams in every phase of the SDLC. If not, this can lead to things going amiss, resulting in prevention becoming reactive rather than proactive. It is wrong to only deal with the consequences once they occur, as more vulnerability incidents can be avoided if the proper procedures had been put in place from the onset.
The best tactic for a holistic approach is improving collaboration between security and technical teams as a standard practice. This will assure teams are aligned from the beginning. In turn, vulnerabilities can be detected at the earliest opportunity and rectified before the application’s deployment. This is why several approaches, such as designating a “security champion” in the technical teams or DevSecOps, are beginning to take on a different dimension within many companies.
When these DevOps and SDLC approaches are adopted, it is vital to extend a complete security control cycle to the classic application design phase to achieve fortified security. It should encompass code review, scanning, pen-testing, or bug bounty on the pre-production and production environments to continuously run checks throughout the application’s lifetime.
The benefit of bug bounties
In addition to ensuring the proper training is in place and teams are working holistically, there are also solutions businesses can adopt that minimise the security risk, one solution being a bug bounty – a reward offered to individuals who identify an error or vulnerability in a computer program. Security awareness of developers on teams can be improved significantly if they are directly involved with the management of vulnerability reports for their bug bounty programmes.
The mere act of exchanging information with ethical hackers or assimilating the thinking of a potential hacker can help developers realise security pitfalls they may not have considered before. In addition, when it comes to technical vulnerabilities and business logic flaws, collaborating with ethical hackers brings business value, as their experience and creativity cannot be matched by a development framework.
Having proof of concepts of vulnerability exploitation on their application components naturally accelerates the rise in competence and consideration of security early in the development stage. Ultimately, this allows for applications to be more secure and leaves businesses with the assurance that they can operate safely.
Red teaming – getting prepared for the inevitable
Richard Hughes, head of technical cyber security division at A&O IT Group, discusses the concept of red teaming, and the role it plays in securing businesses. Read here
The three components for a secure application
It is apparent then that the three key components for breaking the cycle of insecurity indefinitely include providing developers more time and resources, delivering security awareness training, and investing in security solutions that provide continuous testing of the application through its entire lifecycle.
By ensuring these approaches are implemented in the SDLC, businesses can create more secure applications and reduce the risk of being impacted by a vulnerability that could lead to financial, productivity, and reputational damage if exposed. Ultimately, having secure applications help businesses to protect their data, maintain profitability and enables them to drive innovation and growth – both now and in the future.