App Security Takes a Back Seat in the Drive to Digital Transformation

As enterprises rushed to digitize their business processes in response to the COVID-19 pandemic, many businesses — if not most— rapidly pushed forward, only to ask application security questions later.

According to a survey released last week, conducted by Osterman Research at the request of cybersecurity and application delivery and security software provider Radware, just 61% of senior management is confident in their organization’s current security levels. That confidence in organizational security was essentially the same among security professionals, at 63%.

That lack of confidence emphasizes how aware organizations may be that app security slid as they rushed to digitally transform their organizations and rapidly shift to cloud services. This is further supported by the survey’s finding that fewer than one-half of respondents believe security is well-integrated into their application development pipelines. Interestingly, 43% said security should not interrupt end-to-end automation. Only 42% of respondents are confident their DevOps and security staff are adequately managing their responsibilities, and are eliminating blind spots in application protection.

Additionally, only 42% agree or strongly agree that their DevOps team and security staff know their responsibilities very well. Also, one-third of those surveyed don’t conduct any automated provisioning and testing as part of their development processes. That’s a big deal, because it’s those tests that help keep applications secure and available.

Much of these findings may be due to how mature an organization’s application security was before the response to the pandemic required accelerated digital transformation. “If security wasn’t integrated in your development life cycle yet, it is reasonable to believe that at least some security related tasks didn’t happen, or were executed with less focus,” says Wim Remes, CEO at Belgium-based information security consultancy Wire Security.

Remes added that such organizations are likely to face security cleanup work in the future. “Rather than taking the whack-a-mole approach, it is important to take this opportunity to improve processes and work iteratively to address those security issues that might come up. This ensures that your technical debt gets cleaned up, while also preparing you for future projects,” he said.

Theresa Payton, president and CEO at cybersecurity services provider Fortalice Solutions, recommended every organization embed their security teams into their development life cycle. “One of the best ways to accomplish this is to rotate security members and assign them to a project,” Payton said.

During that process, she explained, inform the overall application development team that the goal is software integration and delivery make it through security reviews flawlessly: no major glaring issues. For their part, security engineers should have a business mindset. This “business mindset” can be built by having security engineers shadow customers, or end-user service and support. “It’s the best way to build empathy for the end user, and help the security team find a path where they know how to design for the human versus designing security in such a way that the human works around it to get their job done,” she said.

While many respondents don’t trust their internal security processes, they probably trust that of their cloud providers less. The survey found only 27% of respondents “completely trust” the security offered by their cloud providers. That lack of trust could be a good thing, if channeled into healthy skepticism and a “trust, but verify” attitude. “When it comes to technology, trust nobody,” added Payton. “If you design your systems assuming your provider is, or will be, compromised, you will design segmentation of processes and access points differently. Many of the public cloud platforms see more threats than the average enterprise, so it’s possible they have more visibility into cybercrime tactics and, therefore, might be better equipped to protect and defend your data. It’s vital to choose the right partner,” she added.

Finally, of those respondents who migrated to public cloud, 47% use more than one infrastructure provider for hosting their production apps. And, the survey identified that as organizations increase their use of public cloud, their confidence in applying strong security declines.

Again, if that wariness is healthily applied, it could help motivate organizations to reduce risk. “In the wake of SolarWinds, make sure you have more than one cloud provider to balance your loads and your risks. Additionally, your logs and backups should also be stored offline and out of band. The best way to improve trust is to define your digital nightmares, and practice playbooks with your cloud provider. It’s better to exercise an issue and learn there are potential gaps in capability than finding out in an emergency,” Payton said.