A recent report shows a greater number of companies are viewing their application development efforts with an eye toward security, as vulnerabilities introduced by poor code hygiene and other factors continue to rise.
Organizations are more aware than ever of application security risks, with the number of applications tested rising by 20%, but at the same time, remediation rates have fallen, according to NTT’s GTIC Monthly Threat Report.
“Also hampering organizations’ ability to keep up with vulnerabilities are the embeddable components in the software supply chain, which account for one-third of all application vulnerabilities,” the report stated, adding there has been a 50% increase in unpatched library vulnerabilities. “This is a dangerous trend, as more open-source and third-party software is embedded in organizations’ own applications. It also underlines the need for software vendors to raise their security standards.” It’s why DevSecOps needs to have a higher profile within the organization.
Why Apps Need Security Testing
Applications are an integral part of doing business, said John South, senior director of Global Threat Intelligence Development at NTT Ltd. “We develop applications to make it easier for customers to work with us. Where once we relied upon definitive boundaries between our internal networks and the internet, applications blur those lines as we reach out to customers to inform them or to accept data from them.”
But some of these applications convey important sensitive information, which is why applications should not be put into service without first testing the security of its design, coding and function. Application security specialists should be involved with all three segments, said South.
“The specialists will look at the coding practices and the way the application functions,” South said. “They will conduct penetration testing to understand if there is a potential for compromising the applications.”
The Race to Develop Apps
“Business has moved irrevocably to the marketplace, and development teams are cranking out new applications at unprecedented speeds,” noted Kashif Hafeez, senior director, Product Marketing at WhiteHat Security. “The race is on to rapidly develop and deploy secure applications, with the subsequent challenge of securing an app whose functionality and framework are already determined.”
And because applications are accessible from any location, Hafeez added, they are an easy target for hackers, who can exploit vulnerabilities in business-critical applications and gain access to backend corporate databases.
How to Address Application Security
This need to get the app online before it is secure is creating risks. In the report, WhiteHat Security offered three metrics-driven phases organizations can implement to better secure applications. They are:
Phase 1 – Risk Discovery and Management: Key Metrics. This metric involves recognizing the window of exposure when an application vulnerability can be exploited, how long it will take to fix the vulnerability and the remediation rate.
Phase 2 – Release Assurance: Key Metrics. This metric involves recognizing the industry baseline in fixing vulnerabilities, the percentage of vulnerabilities fixed and a vulnerability prevalence by class, which “to rapidly innovate, organizations are increasingly adopting open source and commercial off-the-shelf components.”
Phase 3 – Developer Enablement: Key Metrics. This metric involves setting up focused and recurring training for the development, operations and security teams, and to create a baseline toward security goals.
Security Isn’t a One-Off Proposition
Organizations should continue to test an application’s security, even after it has been initially tested and put into service.
“Over time, vulnerabilities arise,” said South. “Some of these may be in functions written in the code itself, some from the libraries that the application uses. These updates and remediation are analogous to the patching we do regularly on our computers.”
Applications change over time, South added, and while security issues may be addressed before deployment, it is equally important to establish a program to test and fix application security issues on a regular basis.
That’s why organizations need to make DevSecOps an integral part of the application development strategy, Hafeez said. “Embedding security in their development and operations in a phased approach as the need for securing a growing number of new applications becomes more critical and urgent.”