This week on our blog, we have a guest post from Nathan Britton, Principal Consultant at NTT Security.
Web applications are key to any organisations’ digital transformation plans, but they are coming under increasing attack from hackers, cybercriminals and even nation states. In fact, web app attacks were the top attack category last year, comprising 16% of all cyber-attacks identified by NTT Security globally. Hackers increasingly view the application layer as a weak link in organisations’ defences; and with good reason, as most time and resources tend to be focused on getting products to market, rather than embedding security.
For this reason, firms desperately need to find new ways to reduce risk in this area by integrating testing and controls’ implementation early on in the software development lifecycle (SDLC). But how best to achieve this? One way would be to build a secure, and repeatable, development framework around a Four As methodology: Assessment, Analysis, Action and Approval.
The race to market
Digital transformation is at the heart of any modern organisation. New and emerging technologies based on cloud, IoT, social, mobile and big data offer firms fantastic opportunities to engage more closely with their customers, work more productively and differentiate their way to success. In fact, 85% of enterprise bosses think they only have two years to make progress in digital transformation before they fall behind their competitors.
That puts tremendous pressure on developers to get software out on time and on budget. Security is often sacrificed in this rush, especially given the lack of in-house resources available in many organisations, and ends up being treated as a mere ‘bolt on’, or afterthought. This is hurting organisations. Why? Because when vulnerabilities inevitably sneak through, it ends up costing more to fix them than it would if security had been addressed at an early stage of the SDLC, both from a financial and resource perspective. Research indicates that a staggering 80% of web applications contain at least one vulnerability, which could potentially lead to a significant – and costly – security incident. Further, the US National Institute of Standards and Technology (NIST) estimates it costs 30 times more to fix a vulnerability in post-production than at the requirement identification, design and architecture stage.
With the evolution of methodologies and approaches such as Agile, DevOps and Continuous Integration/Continuous Deployment (CI/CD), the rapid and iterative nature of application development and deployment has challenged organisations to integrate and streamline security within their existing frameworks.
As if this wasn’t challenging enough, IT leaders must find a way to embed security into the SDLC at a time of increasing complexity. Traditional firewalls at the ‘perimeter’ are no longer effective as the cloud consumption model dominates. APIs, micro-services, mobile apps, DevOps, PaaS, rich internet applications and containers all add to the complexity of the application ecosystem.
Hackers are well aware of these challenges, and are only too ready and able to exploit them. Well known attacks, such as SQL injection, cross-site request forgery (CSRF) and cross-site scripting (XSS), may have been around for years yet they continue to be prevalent in web applications today, allowing attackers the potential to access, steal and tamper with organisations’ and customers’ sensitive data.
The four As
Organisations should therefore consider an approach based around four key tenets:
Assessment: You need a comprehensive way of identifying the breadth and depth of vulnerabilities using a combination of manual and automated testing.
Analysis: Once you’ve established visibility into vulnerabilities, you’ll need to identify and design the right security controls. Build in the right controls at an early stage in the SDLC, based on the vulnerabilities discovered and the recommended mitigations. The process can be automated to make it more accurate and cost effective.
Action: Now it’s time to implement and tune those controls so that vulnerabilities discovered during Assessment and Analysis are mitigated effectively. The right approach will not look to deal with issues in isolation but work to create a more mature underlying approach to web app security.
Approval: This is the crucial final stage in the “Four As” process, providing IT leaders with confirmation and reassurance that vulnerabilities have been successfully addressed. It’s vital in helping to establish that all-important iterative approach to secure software development; from planning, to designing, coding and finally, testing. It’s an almost agile-like process which helps organisations to identify and mitigate risk on a continuous basis. As technology changes and is updated, so are the threats, so secure software development has to be an adaptive, holistic and continuous process.
The benefits of such an approach are clear:
- Reduced attack surface
- Optimised app security delivery
- Faster go-to-market
- Improved understanding and awareness of risks
- Improved compliance
- A secure policy framework for apps
- Brand confidence
Following this approach will help improve your security posture but few organisations today have the necessary skills in-house to create and run the kind of holistic secure app development process needed to keep threats at bay. If you don’t have the in-house skills required, find a trusted partner that can help you can create a mature, adaptive approach that will stand the organisation in good stead for years to come. Click here to find out more about software application security and how NTT Security can work with you to address the associated challenges.