There is no greater threat to information security than the belief that systems are secure when, in fact, they are anything but. The growth in popularity of custom app development over the past few years has created a situation where many enterprises have thousands of applications in production with little or no security testing behind them—and most executives have no idea these security holes even exist. Enterprises concerned about information security must find a way to integrate sufficient testing into the software development life cycle (SDLC) to ensure their systems are as secure as possible.
The Ongoing Threat from Custom Apps
The average enterprise has come to use thousands of custom apps on a daily basis. The problem? Many of these organizations have no idea how many custom apps they are using, and it's impossible to secure apps that IT management doesn't even know exist.
What's worse is that even the best AppSec programs are only testing approximately 10 percent of their apps, according to Aspect Security. As a result, 54 percent of breaches come through custom apps—a number that will only increase in the coming years, given such conditions as lax security and the growing number of available apps.
Custom apps are particularly vulnerable to hackers and thieves because they represent the path of least resistance. They are constantly exposed to the Internet (which makes them easy to probe for vulnerabilities), are developed quickly with little regard for in-development security and are assembled from a variety of code and library sources. In addition, they represent larger attack surfaces than traditional targets.
Securing App Development in an Agile World
In order to tackle the growing issues with custom apps, IT executives have to embrace a holistic approach throughout the entire SDLC while avoiding the additional expenses incurred by extra IT staff, consultants and infrastructure.
Through a discovery process, IT can take an exact inventory of all the apps they need to secure, granting organizations a handle on their existing app pool. From there, a massively parallel scan will quickly identify highly exploitable vulnerabilities, like those in the OWASP Top 10, and allow IT to segregate questionable apps until a deeper scan can be done.
Once IT has a grip on existing apps, an enterprise has to turn its attention to the development process and find a scalable solution that works from early code development right through production, especially in the fast-paced world of agile development. Implementing static application security testing (SAST) early in the development life cycle will allow IT to find many vulnerabilities, such as cross-site scripting or SQL injections issues, as well as coding errors, at a stage when they should be easy to fix. Because SAST works with binary code to find paths through an application, it can also be used with third-party software or libraries that exist in many modern custom applications. As the app-development phase moves to QA, dynamic application security testing (DAST) should be conducted to ensure that additional vulnerabilities aren't exposed by the addition of a web interface. Finally, manual penetration testing has to be done on all critical apps, and the test results from every stage of development need to be centralized in a comprehensive solution to minimize false positives and help ensure overall accuracy.
The threat posed by custom app development is only going to increase in the coming years, as these apps will make up more and more of the overall network infrastructure. Enterprises that are serious about network security have to begin taking steps to mitigate problems today. The right solution has to be comprehensive, scalable through the cloud, and designed to discover both the security issues of today and the potential security flaws that hackers may exploit tomorrow.
Photo Source: Flickr