Building A Successful Application Security Strategy
The InfoSec Consulting Series #29
By Jay Pope
As we rely more and more on technology and the internet, keeping the devices and applications that we use secure becomes a key priority. Companies are keen to embrace digital transformation strategies but this also means increasing the potential attack surface. A key part of any Systems Development Life Cycle (SDLC) today must, therefore, focus upon building in security right from the inception of the project. Hoping to bolt on security later is no longer a viable strategy. There are essentially four steps to building an application security strategy. The first is to convince senior management that it’s essential and to get the whole of the organisation committed. The second is to ensure that development teams have the required level of security skills which may mean investment in training and recruitment. Thirdly, is investment in the right tools to ensure that development can be tested and monitored for security issues. And finally, a proactive approach is required to ensure that security is not only considered at the start of a development project but all the way through the cycle. How then do you ensure that your web app strategy will meet these requirements?
Building in security requires development teams to have the correct skills. This means that training and development in security needs to become part of the team’s culture. Developers must not only understand the requirements of security technology, but they also need an insight into the perspective of security analysts. Ultimately, it isn’t just about generating secure code, it’s about ensuring that development and security teams can communicate and understand each other’s needs. Training developers to give them the requisite security skills will require significant investment, but is increasingly being seen as a priority by businesses.
There are many well-established frameworks that can be incorporated as part of an application security strategy. These incorporate processes and techniques to not only guide developers, but also to provide resources that can be used in the process. Perhaps the best known of these frameworks is the Microsoft Secure Development Lifecycle (SDL). This is designed to sit within DevOps environments and to help to deliver security at each stage of the process. Although produced by Microsoft, it isn’t specific to any particular environment or operating system, so it can be applied across the board.
For open source developers, the Open Web Application Security Project (OWASP) offers data on major vulnerabilities, together with the risks they present and their likely impact. It includes best practice information and guidance for securing apps as they are developed. A good deal of current development revolves around the incorporation of Internet of Things and ‘smart’ devices. If you’re working in this area, the Industrial Internet Consortium (IIC) publishes a framework identifying open standards of interoperation and architectures, allowing the safe connection of IoT devices.
The concept of DevOps combining development and operations methodologies to streamline the delivery of software has been around for some years. The need to include security in the process means that we’re now seeing a significant shift toward DevSecOps. This means including a focus on security at each stage of the SDLC to reduce the risk of vulnerabilities being included in finished code. Crucially adopting DevSecOps ensures that secure methodologies are practiced at every stage of development.
Key to any successful development is testing. This should become a core part of the developer’s toolchain, rather than something that is merely tacked on at the end. There are numerous testing tools available and it’s wise to select your preferred tools at the outset. This ensures that your code can be optimised to take advantage of the test tool’s instrumentation. Application security tools (AST) can be static, dynamic and interactive. In the past, static and dynamic tools have been most widely adopted but interactive test methodologies are now growing in popularity.
A further point here is that testing is not over once the development is signed off. It’s important to adopt continuous analytics and monitoring to provide feedback on the software while it’s in production. This not only helps to identify potential security vulnerabilities, but it also serves to provide detail as to how the performance of the software is holding up in the real world.
The potential loss of reputation – not to mention in financial terms – that could arise from a security breach is such that building security into every level of the development process cannot be ignored.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.