Despite the rising costs and impact of application compromise — recent data found that 58 digital records are stolen every second and breaches cost companies an average of $3.6 million — many best practices and procedures for securely designing, developing, testing, and protecting applications are largely ad-hoc. As noted by Tech Republic, exactly ZERO percent of organizations say their security needs are fully met by their current infosec strategy, down from just 11 percent last year.
Some respondents pointed to a lack of skilled resources, while others cited budget constraints. Still, regardless of origin, the outcome is clear: Hastily-designed app protection procedures that don’t meet current needs and can’t keep up with evolving demands.
Need a helping hand with your application protection process? We’ve compiled some of the best practices of leading-edge companies into a top-10 list. Let’s get started.
First up? Educating developers on safe coding and security code review practices. Here’s why it matters: As CA Technologies 2018 Insider Threat Report noted, accidental insider threats top the list of corporate worries, and “lack of training and expertise remain the biggest barrier to better insider threat management.”
While many organizations (correctly) link accidental insider threats to staff sending secure data via plaintext emails or falling victim to phishing attacks, poorly secured or tested app code can have the same effect: attackers can breach corporate defenses and access critical information. As a result, all security staff needs to receive regular training about app coding best practices. These include:
Better training for developers means more secure apps, making all other app security benchmarks easier to achieve.
Companies must develop broad threat awareness to effectively defend apps from malicious actors. Some threats are common knowledge, such as using popular open-source software in app development, which may contain critical flaws.
Others remain ongoing concerns. As noted by SANS, vectors such as cross-site scripting (XSS) and buffer overflows remain popular. While defeating many XSS attacks is relatively simple, organizations must understand both the prevalence of this threat and existing application issues to effectively reduce risk. Also essential? Keeping track of emerging trends such as fileless malware and account takeover attacks, which attempt to compromise applications without triggering infosec alerts.
Static application security testing focuses on the application source code before it is compiled. This offers both the benefits of early use — SAST techniques are viable even in the first stages of the software development lifecycle — and the ability to quickly detect early-stage vulnerabilities. With approximately 80 percent of attacks now targeting the application layer, SAST testing is a cost-effective, simple way to save time on detection and money on costly bug fixes. It scales well and is useful for finding common security flaws such as buffer overflows and SQL Injection Flaws.
Dynamic application security testing (DAST) is — not surprisingly — the other side of the app testing coin. Here, applications are tested while operating to detect vulnerabilities that occur only when the app executes. Essentially, DAST attempts to pierce the running application in various ways to determine potential vulnerabilities, and it doesn’t require direct access to the binaries or source code.
Although DAST has limitations, since it can only find flaws in the currently executed code, it provides a more organic way to test application behavior. Why? While SAST evaluates the parts of applications, DAST reveals flaws that only occur when critical variables are part of the equation.
While SAST and DAST testing can be fully automated, the pentest includes the human element, creating a simulation of security outbreaks against the application. The pentest is a key component of effective application security. The challenge for most organizations is ensuring that pen testing efforts properly address the scope of potential system issues.
What are top-tier companies doing that others aren’t? Implement penetration testing processes with a clear C-suite mandate and action plan. According to Business Computing World, this means creating a regular testing schedule — every quarter to every six months — and testing all aspects of their network and applications. Why is this important? Because many businesses assume that certain portions of their infrastructure or code are “infallible” since they’ve never been breached. The hard truth? They aren’t — they’ve just had good luck. Include everything in your pen test efforts to ensure optimal results. See our blog on Mobile Pen Testing Tips.
As noted by Forbes, “Data encryption is among the most effective strategies for mitigating the damage caused by data loss.” Many emerging federal regulations and industry standards now require data encryption to demonstrate due care in protecting user data and safeguarding critical application processes.
Companies that excel at data protection share a common practice: They encrypt everything—files at rest, in transit, session tokens, mobile data, and connection information. The caveat? Companies tend to trust encrypted data, leading to increased SSL and TLS attacks. Malicious actors often bypass common security measures by encrypting infected code using commonly accepted methods. For organizations, encryption is a two-way street: outgoing data and data-at-rest should always be encrypted, while incoming data must always be inspected.
In addition to data encryption, building processes that help mask and obfuscate critical data is critical. According to Tech Target, this starts with discovery: companies must find the data they need to protect within their application. Ideally, this occurs during the design process rather than after the fact. Either way, the Tech Target piece suggests such identification takes between 10 and 20 percent of total project efforts.
Attackers seek the fastest, easiest route to data breach and application compromise. If an application is easy to reverse engineer, it is easy to steal IP and find vulnerabilities. The result? Employing app hardening and shielding techniques can help convince hackers that your app is more trouble than it’s worth and instead move on to more vulnerable targets.
OWASP speaks to the industry consensus for application hardening, which includes:
For code running in an unprotected environment, find and deploy a reliable code obfuscation tool that modifies files. Hence, they’re no longer useful to hackers but remain fully functional in your application.
Gartner defines Runtime application self-protection (RASP) as a security technology built or linked into an application or application runtime environment. It is capable of controlling application execution and detecting and preventing real-time attacks.
Examples of client-side steps an app can take to try to prevent attacks include:
Examples of server-side steps an app can take to try to prevent attacks include:
Traditional firewalls rely on perimeter defenses to detect incoming threats and block suspicious actions. However, these firewalls have limited efficacy for Web applications located outside the typical network DMZ.
Meanwhile, web application firewalls (WAFs) are network-, host- or cloud-based solutions placed in front of web and mobile applications to actively scan incoming data packets. Their positioning and scanning process lets them reliably detect potentially malicious behavior and deal with high-risk threats such as zero-day attacks. These attacks often devastate organizations because they emerge after applications go live. WAF tools are designed to identify strange app requests, prevent them from executing, and notify infosec teams. In addition, these next-gen tools can be configured to inspect for other threats, such as XSS attacks, SQL injections, and buffer overflows.
Compliance expectations such as those from PCI DSS and HIPAA are a good starting point, along with any company-specific data critical to basic app functioning. Also, consider the EU’s new General Data Protection Regulation (GDPR). Not only does it stipulate that users have the right to request their data from companies at any time, but it mandates that any organizations handling or storing the data of an EU citizen — even if the business isn’t located in the European Union — must securely store that data and respond to breaches within 72 hours or face significant monetary fines. Meanwhile, new credit data regulations from PCI DSS mandate ongoing protection — with the potential for random audits and compliance checks — rather than once-a-year demonstrations of application security.
The result? It’s critical for companies to regularly review their application security protocols, compare them to existing legislation, and make necessary changes.
Bottom line? Applications are now critical to the success of your business — but without the right security procedures in place, these apps may pose the biggest risk to your organization. For many companies, the sheer complexity of their app environment makes developing and adopting new infosec processes daunting.