Application Security: Balancing software security with business imperatives

CyberRes is a Business Reporter client

Security on its own is not enough. Too little, and organizations are open to critical, potentially existential, threats. But too much and they face the risk of being mired in procedures that erode efficiency, hold back change, waste money, and frustrate workers.

Most organizations recognize that security must be balanced with business imperatives that accelerate innovation and support profitability. But when it comes to application security (AppSec), it can be hard to get this balance right.

In an increasingly connected and app-dependent world, security practices around application development must play a fundamental role in any cyber-resilience strategy.

A new research report from resilience specialists CyberRes, the 2022 AppSec Trend Report, outlines key application security trends that organizations must address urgently. These include a need to secure the software supply chain, a focus on API security, and the need to apply application security throughout the whole software development lifecycle.

Why is AppSec so important? Because many of the most significant data breaches have involved security flaws in applications, such as the recent Plex media server breach, the Ronin cryptocurrency network breach, and, perhaps most worrying of all, the LastPass password vault breach.

These breaches often happen because of the way apps have been developed. Newly created source code may contain flaws, often because it is being developed within tight deadlines, by organizations that prioritize time and cost over secure coding practices. And because of time constraints, developers use Open Source code which frequently contains vulnerabilities.

In fact, three quarters of web applications have at least one important security issue. Criminals know this, which is why 94 per cent of successful attacks are targeted at applications or the APIs that developers use.

Application programming interfaces (APIs) are particularly at risk from cyber-criminals. APIs are vital in modern application development. For example, they enable a banking application running on a smartphone to connect to the bank’s back-end services to display the latest account information to the user. Because they are fundamental to so many online services, they are a major target for hackers. Half of all B2B transactions will be conducted through APIs by 2023: this represents an enormous risk across commerce and industry.

Unfortunately, the API ecosystem is complex, which makes it hard to manage. APIs may be already publicly available, they may be developed by a third-party partner (who may or may not be compliant with appropriate standards), or they may be developed internally. They operate at different levels, from the “experience” level, where end-users are interacting with an application, right down to the “system” level where APIs are responsible for the mechanics of an application – for example, connecting databases with AI algorithms. And sometimes they link software operated by two totally separate organizations (a bank and a retailer, perhaps), something that can make the overall solution more vulnerable.

Because of this complexity, ensuring the robust security of applications and APIs is not easy. And this is further complicated by the need to balance security with business requirements.

All organizations have a mission, whether that is making profits or doing social good. Very few are in business simply “to be secure”. Security is not a strategic aim in itself; rather it is something that supports strategic aims. These may include:

With the right tools and processes, robust security is compatible with these business imperatives, and developers can be empowered to own security and seamlessly integrate it into their coding practices at speed. For this to happen, though, a culture of security testing throughout the development lifecycle must be in place.

Frequently, software security tools are used to scan for common vulnerabilities in software that has already been deployed. However, this approach is likely to leave the applications vulnerable and means vulnerabilities are more costly to fix when found. A better approach is to find and fix vulnerabilities earlier in the software development lifecycle.

Static application security testing (SAST) should be in place to scan the code of each independent component as it is written. Separately, dynamic application security testing (DAST) should be used to scan web applications as they run, in much the same way that a hacker would.

In addition, attack-surface discovery should be implemented. This involves analysing the endpoints, services (such as cloud and web servers) and other parameters (such as SSL certificates and IP addresses) that could provide entry points for attack vectors.

The adage should be that app security testing should be “everywhere and often”. Developers should be encouraged to become primary drivers when it comes to security testing. Instead of incentivizing them to just get software “out the door”, they should also be given the tools and resources to identify and fix vulnerabilities without significant loss of momentum or an impact on time to release.

Efficient application security testing will take account of the main trends identified in the CyberRes AppSec trendsreport. These include:

Companies that use automation are twice as likely to implement security testing on a regular basis. Around a third of organizations (32 per cent) still manually integrate their security tools. This still leaves huge scope for improvement in software development pipelines.

In the other two thirds of organizations, automation is well established. However, security testing protocols are evolving further with the increasing use of artificial intelligence, and specifically machine learning (ML), as the CyberRes research points out.

One way of using ML is to drive the eradication of false positive threat identification, which is such a drain on the energies of security teams. ML will continually learn from past results, getting more and more accurate. It is never perfect of course, and human intervention, initially to train the system and then to validate decisions, is an essential part of any ML programme.

Processes in application development continue to evolve. The pace of change associated with the security testing of apps is also accelerating. Successful application development requires organizations to recognize the need for security risks to be balanced against business imperatives and the requirement for constant innovation. By acting on today’s trends in application security, organizations will be enabled to deliver secure applications, flexibly, cost effectively and at speed.

The CyberRes Fortify security testing tool can help you balance your security and business requirements. Don’t just take our word for it. Check out the Gartner Application Security Testing Magic Quadrant. Or read how the US Air Force’s Chief Security Officer has improved their security posture with Fortify. You can download a free trial of Fortify on Demand here.

Originally published on Business Reporter