Toward zero-trust: 8 steps to boost app sec
Application security has many organizations worried—and for good reason. But there are steps you can take to mitigate at least some of the threats. Application breaches are on the rise, and so are the security risks of running business-critical apps in unprotected environments. Companies are also not adequately investing in application security until after breaches occur, resulting in loss of productivity, customer trust, and revenue.
Consider these findings from a recent study of 1,400 IT and security practitioners by the Ponemon Institute on behalf of Arxan Technologies, an application security provider:
- 75% of organizations have likely, most likely, or definitely experienced a material cyber attack in the last year due to a compromised application.
- 64% of IT pros are concerned or very concerned that their organizations will be hacked through an application.
- 54% expect the severity of the threats to their organizations to increase in 2018.
- Only 25% of IT practitioners say their organization is making significant investments in solutions to prevent application attacks.
Here’s why zero trust is key—plus eight steps for boosting your application security.
Apps make attractive targets
All application usage has been growing, especially for web applications. Nitzan Miron, vice president of product management for application security at Barracuda Networks, pointed out that in 2010, the average organization had 5 web applications; in 2018, it’s 54.
What that means is the data handled by those applications is much more valuable and much more attractive to threat actors.
1. Secure your APIs
Anything that exposes an application to potential malicious access is fair game for attackers. That includes APIs, even though their attack surfaces can be tightly restricted.
Security for APIs can be overlooked when they’re used to dynamically generate content on a website.
Mobile APIs are also targeted by hackers, who use malware to hijack a mobile device or steal credentials. Once they access the API, they use it to scrape data from their target.
APIs need to be evaluated with an eye to what access to sensitive data and resources they’re exposing.
2. ‘Fuzz’ your apps
A common tactic deployed by threat actors is to break an application, hoping it will expose an attack surface. Buffer overflows are a typical example of that. To guard against those kinds of assaults, organizations should “fuzz” their apps. That means experimenting with throwing all sorts of unanticipated input at an app to see how it responds.
3. Shift security left
Moving security left, to earlier in the development lifecycle, is another way to improve an application’s security environment. That’s because security issues often appear first in the application’s code.
The earlier those issues can be discovered, the more secure the app will be in the long run. It also lowers the cost of protecting the app because it costs less to catch flaws early in the process than when the software is about to be deployed.
Securing code is only part of the challenge, added Brian Contos, CISO of Verodin, the maker of a platform to measure, manage, and improve cybersecurity effectiveness. “App security requires a layered approach—starting with creating secure apps, managing those apps in the enterprise, and protecting the code from reverse engineering, as well as protecting and monitoring the systems those apps interact with,” he said.
4. Identify application dependencies
The growth in the use of third-party components in applications has increased the risk of application compromise. “These days, because of the complexity involved in an application, there’s just so much happening that you can’t write all the code yourself,” explained Raj Rajamani, vice president of product management at SentinelOne. “There are so many open-source projects that … can reduce your time to market.”
To get a handle on those third-party risks, organizations need to gain visibility into what open-source components are used by their applications and how they’re used. They can do that through the use of software composition analysis tools. “I expect to see continued adoption of software composition analysis for the next several months,” 451 Research’s Crawford said.
5. Scan application code for vulnerabilities
A number of tools and service firms will test code for errors before it’s deployed. These scans can reveal common flaws such as cross-site scripting vulnerabilities. “That’s a basic type of visibility that developers should get,” SentinelOne’s Rajamani said.
Organizations should demand that software applications—either built or bought by their organization—be tested for vulnerabilities before they are released, observed Anita D’Amico, CEO of Code Dx. “Applications must be subjected to both static application security testing performed on the source or binary code, as well as penetration testing,” she said. “Organizations should also require that software suppliers demonstrate proof that the application being delivered has been adequately tested for security weaknesses,” she added.
6. Perform penetration testing
Hiring hackers to break into your network through an application is a common way to expose vulnerabilities. Organizations will enlist penetration testers and bug bounty hunters as a way to beef up application security. The practice has been so successful that even government agencies, including some military services, have launched bug bounty programs to test their security.
7. Validate back-end security systems
Applications don’t operate alone. They interact with server apps, databases, and networks. Those systems need to be secure, too, but too often they’re not.
Firewalls, intrusion prevention systems, web application firewalls (WAFs), data loss-prevention tools, endpoint security controls, and other solutions can all provide a great amount of value. However, those systems are rarely validated, and organizations simply assume they are operating as needed. But many suffer from misconfigurations, incomplete deployments, or environmental drift, which happens when something that was providing security stops doing that.
“Security based on assumptions is common and it’s a massive problem leading to poor security ROI and breaches,” Verodin’s Contos said. “As dependency on secure apps increases, so does the need to validate that the back-end systems are also secure.”
8. Foster a culture of security
Organizations should nurture a “security-positive” culture. “This makes a real difference in the success of adopting security policies,” Positive Technologies’ Galloway said.