/jan 28, 2016

How AppSec Fits into an Information Security Program

By Doug Bonderud

Want a better information security program? Most companies do and are willing to spend big money on safeguarding critical systems. As noted by Infosecurity Magazine, Allied Market Research predicts huge growth in the hardware encryption market, with a CAGR of more than 50 percent and a net value of almost $300 billion by 2020. But locking down data at rest and in transit is only one step on the road to better InfoSec: If applications and network devices are inherently insecure, even the best encryption won't keep cyber criminals at bay. For many companies, however, the prospect of building an AppSec program from the ground up is daunting does it fully replace existing information security best practices and play nicely with existing protocols?

A Matter of Perspective

According to a recent Dark Reading article, effective InfoSec depends on finding the right frame of reference. Security expert Joshua Goldfarb uses the example of a "crooked haircut" if you're sitting the barber's chair and tilt your head to the side, you'll always get a crooked haircut. From the barber's perspective, everything looks fine, but when the appointment is over the disconnect becomes clear. Differing perspectives produced a nearly correct outcome that now carries significant consequences; chances are you're growing out that bad cut until there's enough hair to try again.

The same thing happens to InfoSec departments. While there's a shared recognition across C-suites and InfoSec professionals that companies need better protection, the perspective often differs. InfoSec pros might focus specifically on new technologies that manage security vulnerabilities, but most executives make budgets their bottom line. For Goldfarb, however, the key is common ground in the form of risk. Instead of focusing on what might help or how much money could be lost, risk-based approaches are designed to identify specific weak points and then suggest effective solutions. This is where AppSec enters your information security program. The sheer number of in-house and third-party apps used by your company creates a potentially massive attack surface, and effective management of these apps is essential to securing your network as a whole.

In, Out and Around

Of course, it's easy to be overwhelmed by AppSec. Do some cursory research and you'll find a growing pool of literature, most of which suggests that for application security to be successful it must encompass every stage of development and testing. Just starting a new in-house build? AppSec. Rolling out the first, pre-beta version? AppSec. Your shiny new app now hitting live servers? AppSec. AppSec. AppSec. It's no wonder, then, that many security pros see application security as a replacement for more traditional InfoSec methods.

But total replacement isn't the answer. Think of InfoSec like an ecosystem: A set of interdependent processes that all play a role in keeping your company safe from attackers and malicious code. Typically, this ecosystem is broken up into multiple layers for example, the first layer is the physical layer, where hardware and users share the same physical space. Attacks at this layer might include the destruction of physical devices or the use of physical media such as USB sticks or tokens to steal data or damage systems. Meanwhile, layer four is the transport layer, which handles all transmission of data both across local servers and the Internet at large. Here, denial of service or man-in-the-middle attacks are likely threat vectors. And applications? Near the top, at layer seven. This layer covers the design, development, upgrade and maintenance of all apps ‰ÛÓ attacks here may focus on app code specifically or the manipulation of client-side remote access.

It's easy to see where AppSec fits here: At layer seven, application security tools are used to inform all aspects of app performance and deployment, ensuring that problems with software code become major network headaches. But just like a true ecosystem, these InfoSec layers depend on one another ‰ÛÓ what happens to apps can easily bleed over to the network, presentation or human security layers. It's here that AppSec especially emerging cloud-based solutions shows its worth. Instead of being confined to the application layer alone, cloud AppSec tools let companies seek out issues with third-party apps that form the foundation of other layers; for example, apps on network devices designed to speed the transmission of data or access vulnerabilities that might allow unintentional human-layer errors.

AppSec Everywhere

The bottom line for AppSec? It doesn't replace your existing information security program, but instead helps shore up the inherently fragile security ecosystem, one that can easily get out of balance when new apps and access points are added. By leveraging AppSec to both address layer-specific issues and branch out to allow multi-layer support, it's possible to vastly improve InfoSec without compromising current best practices.


Related Posts

By Doug Bonderud

Doug Bonderud is a freelance writer passionate about the evolution of technology and its impact on companies, stakeholders and end-users alike. Want to know more? Follow Doug on Twitter.