Applications and software have become the engine that drives nearly all facets of business and personal life. The sheer amount of effort that is put into the code that powers these applications and software is outstanding. However, in the shuffle to add the next great feature or be the next trendsetter, one key aspect is almost always overlooked; Developers, from the first moment in their first programming class, are taught how to develop code but are rarely taught how to do it securely. As a result, applications are surfacing as a weak link in the security chain, cyber criminals know this and target them. This fact is demonstrated by an 82% rate of successful data breaches in financial services, according to Verizon’s 2015 Breach Report.
Applications are more complex and access more privileged systems than ever before
Today’s demands have pushed the simple HTTP and HTTPS protocols to implementations that were never imagined. In the first implementations of these protocols, all that was served was static content. Static content like images, blogs, and articles that just provided links to more static content. As the demands from users changed, the content shifted. Advances provided users with the ability to interact with input fields and login pages while sending that information back to servers that had never been exposed to user requests. Unchecked expressways were opened up through perimeter defenses to allow this traffic through and request and change data residing on privileged systems. Now, we look at applications that serve up content dynamically on a single page. Content can be refreshed, updated or completely changed without requesting the full page again.
The fact is, applications are becoming increasingly more sophisticated and are with interacting with more privileged systems and data than ever before. So how do you stem the tide of increased application exploits? Build a robust application security program.
There are four key components to a robust application security program
Many components make up a mature application security program, but the basis of a robust application security program can be broken down into four elements implemented with a risk-based approached within a Secure Software Development Lifecycle (SSDLC). These components provide the foundation on which to continue to mature the SSDLC and application security program.
1. Secure coding requirements
2. Automated static and dynamic security testing
3. Manual static and dynamic security testing
Start with secure coding requirements
The first component of the program is Secure Coding Requirements. Requirements are the basis of any development activity and having a portfolio specific to Secure Coding provides developers guardrails. They should be written in a format that can be easily understood by a developer and included in
development stories or sprints. By providing an easily importable format for development stories or sprints, it forms the basis for inclusion in all development activity, thereby, decreasing the cost of security within the company. Also, having a company-wide set of secure coding requirements defined provides another measurable metric in determining if an application is in compliance or not.
Conduct automated static and dynamic application security testing
The second is a component that should be implemented, with or without an application security program, is automated security tools. Automated security tools have grown in popularity over the years, both within security and application development. While new tools are being added to the list, most every company should implement some combination of Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST). Both offer benefits to building a robust security program individually, but when implemented together they provide a very solid base understanding of the risk associated with the application.
Then conduct manual testing as automated testing alone is insufficient
The third component of a robust application security program is often overlooked under the assumption automated testing is sufficient. Manual application testing, both SAST and DAST, is a vital element in a risk-based approach to application security. The common belief is that automated tools provide full coverage and range of applications. In reality, this is not the case. Automated tools do provide a good base understanding of the risk posed by the applications, but the truth is that manual testing digs much deeper into more complicated vulnerabilities. Automated tools fall short of being able to understand logic, are inefficient at by-passing built in security controls, rarely find authentication vulnerabilities, and often cause a lot of noise for the application. Manual testing takes a methodical approach to testing the application, it examines request and response traffic and looks for potential signs that there are more complicated vulnerabilities present. During manual testing a user, unlike an automated tool, is not forced to follow the predefined application logic flow and can break this; often identifying vulnerabilities in the process.
Finally, define the metrics by which the program will be measured
The last component of an application security program is one that management will request, metrics. Having metrics identified and tracked provides a basis for justification of additional funding. It will show where the company is at highest risk, and how the program has improved the security of its applications. Starting with tracking metrics like flaw density, common vulnerabilities, highest risk applications, and applications in compliance allows for the company to allocate resources to the most critical or highest risk applications. Also, tracking common vulnerabilities provides both security and development with data to drive additional requirements building. As the program matures, other metrics can be added that are geared to specific groups, individuals, or management as long as there is an audience.
In today’s ever advancing and ever connected environment, implementation of a robust application security program that leans on automated testing and manual testing is needed to stem the tide of exploits.