You’ve dipped your toes into the AppSec waters, but now it’s time to wade in a little further. Many organizations understand application security is important, and maybe they’ve done some scanning or pen testing of a handful of apps. But many are also unsure what comes next, or even if anything needs to come next.
The reality is that Web application attacks are now the most frequent pattern in confirmed breaches, and a one-time scan or pen test of a handful of business-critical apps will not protect you from these breaches. A program that continuously assesses the applications an organization builds, buys or assembles — from inception to production — will. But you don’t need to dive into the deep end right away –we’re just going from toe dipping to wading here. The following are some good next steps:
- Set policies and metrics: Do you know what good looks like for your application security program? Take some time to figure out what your application security initiative’s goals are, and make sure you can measure progress. Consider focusing on the OWASP Top 10 vulnerabilities, or reducing your flaw density by a set percentage.
- Run a discovery scan of your web perimeter: Most organizations don’t even know how many public-facing web applications they have, thanks to websites for new marketing campaigns, company acquisitions or web portals for customers and partners. You can’t protect what you aren’t aware of. With an automated discovery solution, you can quickly and accurately scan your web application perimeter, and find out what you have, and where vulnerabilities most likely lurk. Once you have a handle on your web perimeter, shut down any old, unused sites and scan and fix those most likely to contain exploitable vulnerabilities.
- Get a handle on components: Do your developers use components? They make life easier, but are also causing some serious headaches. Often, when major vulnerabilities in open source components are disclosed, companies struggle to respond because they don’t know which of their applications contain components, or even which components they are using. Consider technologies to keep track of which applications are using each component and what versions are being used. This gives your organization an easy way to update a component to the latest version if a vulnerability is discovered.
When you’re ready to wade in a little further, consider:
- Runtime protection: The reality is that apps end up in production with vulnerabilities. Runtime protection technology enables applications to “self-protect” by reconfiguring automatically, without human intervention, in response to certain conditions.
- eLearning: Stop vulnerabilities at their source. Most developers are not trained in the practices of secure coding. Why would they be? The main goal of any developer is to produce high-quality code that meets the functional demands of the market. Application security solutions that integrate actionable eLearning with testing results allow developers to quickly get guidance on fixing the security issues in their application. And it works: Our research has found that development organizations that leverage eLearning see a 30 percent improvement in fix rate.
- Third-party security:Enterprises are increasingly getting breached through vulnerabilities in third-party applications. Consider an application security solution that will work directly with your software supply chain – on your behalf – to assess and remediate suppliers’ code and ensure it adheres to your security policies before you implement it.
Take the plunge
The bottom line is that you will only truly reduce the risk of cyberattacks through the application layer when you move forward from scanning a few apps to implementing a program that improves the security of the applications you build, buy and assemble, and across their lifecycles, from inception through production. It’s OK to wade in slowly, but at some point, you’ll need to take the plunge.
Want help explaining your next AppSec steps to others in your organization? Check out our new eBook, Top 6 Tips for Explaining Why Your Application Security Journey Is Just Beginning.