You’ve dipped your toes into the AppSec waters, but now it’s time to wade in a little further. Many organizations understand application security is important, and maybe they’ve done some scanning or pen testing of a handful of apps. But many are also unsure what comes next, or even if anything needs to come next.
The reality is that Web application attacks are now the most frequent pattern in confirmed breaches, and a one-time scan or pen test of a handful of business-critical apps will not protect you from these breaches. A program that continuously assesses the applications an organization builds, buys or assembles — from inception to production — will. But you don’t need to dive into the deep end right away –we’re just going from toe dipping to wading here. The following are some good next steps:
Run a discovery scan of your web perimeter: Most organizations don’t even know how many public-facing web applications they have, thanks to websites for new marketing campaigns, company acquisitions or web portals for customers and partners. You can’t protect what you aren’t aware of. With an automated discovery solution, you can quickly and accurately scan your web application perimeter, and find out what you have, and where vulnerabilities most likely lurk. Once you have a handle on your web perimeter, shut down any old, unused sites and scan and fix those most likely to contain exploitable vulnerabilities.
Get a handle on components: Do your developers use components? They make life easier, but are also causing some serious headaches. Often, when major vulnerabilities in open source components are disclosed, companies struggle to respond because they don’t know which of their applications contain components, or even which components they are using. Consider technologies to keep track of which applications are using each component and what versions are being used. This gives your organization an easy way to update a component to the latest version if a vulnerability is discovered.
When you’re ready to wade in a little further, consider:
eLearning: Stop vulnerabilities at their source. Most developers are not trained in the practices of secure coding. Why would they be? The main goal of any developer is to produce high-quality code that meets the functional demands of the market. Application security solutions that integrate actionable eLearning with testing results allow developers to quickly get guidance on fixing the security issues in their application. And it works: Our research has found that development organizations that leverage eLearning see a 30 percent improvement in fix rate.
The bottom line is that you will only truly reduce the risk of cyberattacks through the application layer when you move forward from scanning a few apps to implementing a program that improves the security of the applications you build, buy and assemble, and across their lifecycles, from inception through production. It’s OK to wade in slowly, but at some point, you’ll need to take the plunge.
Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.