Time is of the essence for application security—the sooner IT teams can detect potential attacks and the longer it takes cybercriminals to crack app code, the better your business outcomes.
But with hackers adapting to overcome infosec efforts and new software vulnerabilities constantly emerging, how do companies gain more time—and give hackers less time—across their application stack?
It all starts with a change in direction: Security needs to shift left.
Shift left has gained popularity along with DevOps. Combined development/operations teams needed to improve application quality and detect errors earlier in the development cycle. The name stems from the notion that testing ramps up in typical development cycles as the X-axis (time) progresses to the right but is more expensive, especially after an application goes live.
By shifting this testing left—back in time to the design and development phases—companies can find and remediate issues when code is easier to change. Successfully deploying a shift left DevOps effort demands a unified test strategy that leverages static testing and automation technologies to reduce human errors and increase test coverage.
Security, meanwhile, has historically been a right-side problem—only addressed after applications go live and potential vulnerabilities are in the wild. However, the rise of exploiting known software vulnerabilities, sophisticated attempts to gather sensitive data, and using applications as an attack vector has changed the game. Now, organizations need a way to secure applications before they leave test environments.
IT Governance USA notes that it takes companies (on average) 206 days to detect a breach of networks or applications. That’s more than enough time for hackers to conduct reconnaissance, discover more vulnerabilities, and exploit application weaknesses for their gain. Shifting security left means prioritizing vulnerability discovery and prevention during the initial stages of app development, effectively allowing organizations to short-cut the typical detection cycle—instead of waiting for hackers to make their move, companies preemptively discover critical flaws.
But what does this look like in practice? How do businesses know where attackers will strike or what methods they’ll use to breach app defenses? According to research firm Gartner, companies must now employ a “risk-based” approach to vulnerability management that prioritizes critical avenues of compromise and takes steps to harden application code.
By implementing app hardening tools as early as possible in the development process, organizations can identify high-value assets and resources used by apps and then intelligently harden and shield applications against common attack avenues.
The result? Preemptive protection that allows app defenses to be deployed before hackers can access applications.
Organizations also need to extend the time between attacker efforts and successful code circumvention—the longer IT pros have to analyze and quarantine attacks, the better.
However, as Computer Weekly noted, most threat remediation strategies are no better than chance. For example, simple (and popular) rule-based strategies have only a 23 percent efficiency rate, making them a poor choice for defending critical, high-use applications.
Here, shifting left means creating more time for infosec pros to do their job when attacks inevitably arise. By implementing tools such as security code scanning and code obfuscation, companies can stop hackers by fixing discovered vulnerabilities and making it harder for them to reverse-engineer code and find undiscovered vulnerabilities. Meanwhile, layering in runtime application self-protection empowers applications to detect strange behavior or attempts at inspection as they are executed, allowing the app to react, respond, and generate threat reports for IT depending on customized behavior thresholds.
So how do companies get from current 206-day detection times and random-chance remediation to shift-left security success?
There are two answers: Responsibility and resources. As noted by IT Business Edge, while pushing security into the continuous app development pipeline “supports a proactive response to emerging threats,” responsibility is often tied to infosec pros alone. Just as DevOps success demands complete team buy-in, left-leaning security requires shared responsibility across organizational lines. This means deploying simple, self-service security technologies that enable IT teams to preemptively address infosec concerns and embrace security as a critical aspect of long-term application success.
In addition, teams need the right resources to effectively protect applications against threats that aren’t addressed during development or may emerge as applications leave testing environments and are deployed across mobile and desktop devices. Here, app hardening, obfuscation, anti-debug, and anti-tamper tools are critical to creating time and giving organizations more room to respond.
Companies need less time (and more time) to effectively defend applications and reduce attacker impact. Shifting left—bringing security into the DevOps fold—empowers this type of “time-traveling” defense but demands new solutions capable of assessing risk, hardening applications, and detecting attacks in real-time.