When it comes to application security in a workplace, one of the main challenges is due to the misconception that it's hard to implement and very difficult to maintain. This fallacy mainly derives from a lack of awareness regarding cyberthreats and the correct way to mitigate them.
AppSec represents a challenge for any organization because in the majority of cases, internal personnel aren't trained on the threats, on cybersecurity best practices and on the proper response to a cyber incident. A common error consists of thinking application security is an expensive waste of time. For example, during the development process, it's a common mistake to associate secure coding with slow coding and worse performance. Instead, organizations should consider the benefits of mitigating threats early on.
In my experience, these problems are emphasized in environments where security experts don't have enough interaction with their colleagues, and in organizations that lack a standard security policy.
The distance between security-minded employees and other members of the organization hampers the diffusion of a security culture among employees. Reducing this distance is an important improvement that can be achieved in a relatively short time if every employee is involved. This gap can be reduced through targeted training programs for all employees. Every one of them deals with many applications each day, so it's essential to cultivate a proper cybersecurity posture. The security of a system depends on the security of its individual components.
Company executives must be informed about the risks of exposure to cyberthreats, and it's therefore essential to include cyber risk in the routine analyses that organizations conduct. Involving executives allows organizations to be more reactive, and it drastically reduces the potential cost caused by a management team that isn't sufficiently aware of cybersecurity.
There's another common misconception around the supposedly prohibitive cost of app security. The majority of executives and IT managers consider AppSec an additional cost to contain. Improving application security requires the involvement of additional staff, new hardware and maintenance activities.
However, it becomes clear that this perception is incorrect when one considers the context in which applications run and evolve, which is characterized by a growing number of increasingly sophisticated cyberattacks. Application security is becoming a must for the survival of any organization, especially when faced with a data breach that could seriously harm its operations.
Application security is considered highly complex, and for this reason, organizations often believe that implementing an application security program would be nearly impossible. In the same environment there are typically different applications — some developed by internal staff, others by third-party providers — that interact with one another. The interactions that result from these applications must be carefully scrutinized by the organization, but this is often hindered by organizational difficulties and a lack of adequate skills. The misconception of AppSec's complexity derives from an organization's inability to prioritize the elements of its AppSec program by identifying the core elements of its business.
Additionally, organizations have to carefully test code developed by third parties, just as they would test code developed internally. Considering an application purchased from an external provider secure by default is a serious misconception that could cause significant vulnerability.
Security experts estimate that nearly 65 percent of a typical enterprise's application portfolio comes from third parties, yet according to the Veracode report, "State of Software Security: Volume 6," 72 percent of third-party code doesn't comply with enterprise security standards, such as the OWASP Top 10.
These applications represent a significant portion of the attack surface for any organization and must be carefully tested to improve security. IT staff tend to consider third-party product architecture secure just because the organization is spending a lot of money on network security appliances, anti-virus solutions and WAFs, but they underestimate the importance of AppSec.
The security of an organization strictly depends on the security of the applications it runs. The lack of application security is the primary cause of security incidents. By stressing application security, companies can reduce risk in the area that's most likely to be exposed to cyberattacks.
Organizations can no longer afford to underestimate the importance of application security. Almost every electronic device today executes software and almost every service provided by any company relies on an application. With this in mind, companies can't ignore AppSec. It's time to forget misconceptions — organizations need to get the facts and focus their efforts on the achievement of a high level of security in compliance with standardized cybersecurity policies and practices.
Photo Source: Flickr