Cyber defense is high on the agenda for many companies after a year of high-profile attacks, but AppSec needs to be included in this, writes AJ Thompson, pictured, CCO of the IT consulting firm. north gate plc.
With cyber attacks on the rise, cyber security has risen higher on the agenda for businesses across the UK. High-profile attacks have raised awareness within businesses and the general public about the seriousness of cybercrime and its potential impact.
The last two years have shown that highly organized and ruthless criminal nations and gangs are targeting businesses and organizations of all sizes. With that in mind, companies are generally stepping up their efforts to protect data and infrastructure.
One area that cybercriminals are increasingly looking to exploit is flaws within applications. These are often located at the front end of a business, meaning that if there are areas for criminals to exploit, businesses essentially leave the door open, leaving data exposed and vulnerable. Therefore, the need for companies to ensure good application security (AppSec) in all organizations is critical.
In 2022, all companies use some type of software in their daily function. Software is also central to all aspects of our lives, even in areas we don’t expect, and yet despite this important role in our everyday business and personal lives, applications remain one of the most vulnerable areas within the organizations.
Veracode’s State of Software Security report highlights some rather disturbing trends within applications. After studying 130,000 apps, the report found that 76 percent of apps had some kind of bug, with 24 percent showing very serious bugs. This highlights a core problem that resides in most companies.
However, there are real signs of a growing awareness of the importance of AppSec. Veracode’s SoSS 12 report also showed a 20x increase in average scan rate over the last 10 years with an increasing number of apps scanned per quarter. So while a large percentage of apps had a flaw, businesses now recognize the threat.
Equally encouraging, the government is also increasing its efforts to identify and counter the threat of application security flaws. In its Government Cyber Security Strategy 2022-2030, the Government is attempting to build greater resilience within public sector cyber security. Two of the key elements of the report are software security and AppSec, which highlight the potential threat to the public sector (and more broadly). The fact that both have such a high profile within the government’s cyber security priorities is really important and the private sector should take note.
Securing applications throughout the software development lifecycle is critical to protecting the entire organization. Applications are often the “front door” of businesses, allowing customers and partners to interact with the organization. Apps are also often available on multiple networks in addition to being connected to the cloud. This greatly increases an organization’s vulnerability, giving cybercriminals multiple opportunities to gain access.
Much of the focus of the past year has been on securing the “back door” as a result of multiple successful high-profile attacks originating with third parties and partners. While businesses are more aware of this threat and the importance of getting a 360-degree view of vulnerabilities, the fact that many leave their ‘front doors’ wide open overrides any further efforts to close the door. rear.
Get Board Acceptance
Like any business decision that involves spending, communicating the benefits and value of AppSec to the board of directors will be critical to justifying the spending. Despite the growing recognition of AppSec, CISOs and other owners of application security programs are still in a position to advocate for application security initiatives.
Proving the effectiveness of your AppSec strategy will depend entirely on the buy-in of your development team. The key here is to highlight the speed at which development teams are leveraging APIs to integrate security into their processes, and then demonstrate that developers are taking the time to identify and fix flaws. Highlighting this flat rate can also demonstrate where additional training or investment in resources is needed.
Stressing to the board that this is also an ongoing process and not a one-time investment is important to ensure continued support. A key metric here is the correlation between security activities early in the development process and the number of security flaws found in the final product.
Updating open source libraries is crucial, and yet it remains low on the priority list.
A July 2021 report found that 60 percent of companies reported increasing their use of open source software over the previous 12 months.
While there are obviously multiple benefits to moving to an open source software approach, the nature of open source software libraries means that they are constantly changing. What is safe today may not be safe tomorrow. Therefore, ensuring that third-party libraries are constantly updated by developers is crucial to ensuring security. However, Veracode’s research found that 79 percent of developers never update third-party libraries, potentially leaving companies open to attack.
This is particularly disappointing when you consider that 92 percent of library flaws can be fixed with an update (Veracode State of Software Security – Open Source 2021) and 69 percent of updates are a minor version change or less, which means there is very little chance of interruption. but a great impact on the cyber defense of a company.
Not a one-time fix: add a zero-trust approach
The key to successful software security is that it should not be viewed as a one-size-fits-all solution. It has to be fully integrated throughout the software development process, from conception and throughout the life of the application.
Gaining company-wide buy-in is crucial if application security policies are to be successful. Cybercriminals seek to gain access at all points, anywhere a vulnerability is found. Along with an ongoing application security policy, companies must take a zero-trust approach to all aspects of cybersecurity.
A zero-trust approach is a security framework that requires all users to be continuously authenticated, authorized, and validated before they are allowed to approach or gain access to data or infrastructure. This reduces the chance of unauthorized access, even when it appears that you are the authorized person. Taking this holistic approach alongside application security processes means companies can apply layered security to every user, device, application, database, and access point.
The increased recognition, especially at the executive level, of the cyber threats facing organizations is very encouraging, as is the growth in the number of applications that businesses scan. The key is to ensure that AppSec remains high on the cybersecurity agenda and gain buy-in from all levels of the business. Leaving the ‘front door’ open, while securing all other areas, is not an effective or long-term way to protect your business against an increasingly determined and sophisticated cybercriminal.