In a digital, cloud-powered and inter-connected world, enterprise applications need to be built to withstand a growing range of threats, writes Setu Kulkarni, pictured, VP Product Management, WhiteHat Security.
That’s because applications accessed over the web are proving easy targets for the cyber criminals looking to exploit potential security vulnerabilities in order to steal data or take down vital systems. It’s a process that can cause high profile catastrophic disruption and bring the enterprise to its knees.
With attacks on core enterprise applications escalating, getting serious about application security is becoming a mission critical priority. But for enterprises engaged in DevOps, this may well entail a change of mindset to ensure appropriate time, effort and investment is focused on building security in at the front end – the software development process itself.
Step 1 – Rethink your approach to AppSec
Application security (AppSec) encompasses measures taken through the lifecycle of software code to prevent vulnerabilities through flaws in the design, development, deployment, upgrade, maintenance or database of the application.
Yet all too often, efforts in the production phase are focused largely on compliance and mitigation plans and not on catching potential issues – like XSS vulnerabilities – during development, and not on securing the software development lifecycle (SDLC). In other words, security is often an afterthought. As a result, AppSec efforts are spent testing application security at the end of the SLDC – instead of being embedded into the end-to-end software development process itself. In today’s threat landscape, it’s a risky approach that has the potential to put the enterprise at jeopardy.
Step 2 – Get developers ‘on side’
Maximising enterprise resilience will depend on getting DevOps teams trained up on security principles and best practices, so that they understand what’s involved in writing secure code that addresses the top security vulnerabilities that will typically manifest during production. Training over, developers should be incentivised to ensure that writing secure code is part and parcel of their planning and coding processes. That means ensuring they build in security measures that will minimise the likelihood of unauthorised code being used to manipulate applications to access, steal, modify or delete sensitive data.
Ideally, you should budget to scan both executing and executable code (static and dynamic scanning) throughout the SDLC, and not just in pre-production or production. Adopting this approach should ensure the most secure applications possible are achieved, for the lowest overall investment. To help maximise enterprise security budgets, utilise a risk-based assessment strategy to ensure that enterprise apps are evaluated on business criticality and threat potential. This will help ensure that efforts and resources are focused where these are most needed.
Step 3 – Put security on everyone’s agenda
Finally, creating strong links between product and security teams will help ensure that security is jointly viewed as a top priority in terms of budgets, resources and employee development. In this way you’ll be able to ensure your teams don’t find themselves constantly on the back foot and fire fighting when it comes to application security. It’s worth remembering that finding vulnerabilities is just one aspect of AppSec – remediating and fixing problems is a much larger element of the discipline. But as with most things in life, prevention is better than cure.
After all, trying to fix problems or mitigate damage after the fact puts already squeezed resources and budgets under significant additional pressure. By which point, the financial and reputational impact on the enterprise may well have already been significant. By taking a more proactive approach to AppSec and ensuring that security is built in at the DevOps front end, you’ll be able to more effectively prioritise precious resources to maximise protection of enterprise assets.
