No CISO in today's environment is going to allow a system to exist without solutions designed to prevent attacks, usually at the infrastructure or operating system (OS) level. But such solutions are naturally limited when it comes to attacks made directly against an application, and those limitations are leaving systems around the world even more vulnerable. True code security has been increasingly difficult to achieve since the advent of Agile development, but there are still ways that CISOs can work together with development teams to protect their businesses from the growing menace of poorly designed, poorly tested applications.
The current issue with application security revolves around the fact that many businesses use traditional network-security products that are designed to defend popular operating systems, browsers and other software. These solutions are adept at understanding what an attack against these products looks like, and in taking action to prevent an intrusion.
However, as these defenses have hardened over the years, attackers have shifted their targets toward applications. Each application handles data a little differently, making it extremely difficult for a security solution designed to protect the OS to understand when an attack is happening. Poor coding and a lack of testing mean that vulnerabilities in such custom code are fairly common, creating a situation where existing defenses are useless against attacks.
The problem has only escalated in recent years. The Agile movement, combined with an explosion of necessary custom-built applications, has created a scenario in which development is producing and updating apps at an astounding rate. Some businesses have taken the intelligent step of creating an AppSec team, but as the amount of created code increases exponentially, many of these teams lack the time and resources to properly test all the newly created or changed code.
As detailed in this Dark Reading article, this has led to a situation where about 90 percent of applications are released into production without being tested. That's where a majority of modern breaches are coming from, and the number of them can only be expected to climb.
The solution, obviously, is that more custom applications need to be tested for code security. That's easier said than done, though — the expense of installing additional servers and hiring extra consultants or employees is prohibitive. CISOs need to adopt and work with development teams to integrate solutions that can automatically scan code that's in development, testing and production, and can expand to encompass all current and future applications.
Integrating security within the development process is a perfect first step, and it doesn't have to happen all at once. CISOs can audit their infrastructures to find the applications that are most in need of secure development and start their programs there. The development teams can then perfect the systems to work out all the issues and ensure code security is being checked with minimal impact to development life cycles.
These early trials will establish a system of standards and policies that will work for an entire given enterprise; from there, programs can be expanded to eventually encompass entire development teams. If a solution is cloud-based, expanding it out will be even easier, as the same policies that manage an individual deployment can seamlessly apply to all development teams. These types of security solutions are also able to quickly adapt as new threats emerge. The overall result is a scanning solution that ensures an entire application library is uniformly secure, even as the threat landscape changes.
Finally, applying security scans within the development process will teach developers to be cognizant of security concerns while they are creating code. By seeing vulnerabilities in their code as it's written, devs will naturally begin to apply what they've learned to future projects, resulting in a situation where fewer pieces of code have to be corrected and fewer vulnerabilities can slip through the cracks.
Attacks against applications are going to increase. There's no way around it. To protect business systems, CISOs must work with development teams to integrate security scanning into development processes. Building applications as securely as possible won't prevent every attack, but it will create a strong perimeter that can convince hackers and thieves to look elsewhere for easier targets.
Photo Source: Flickr