Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Application Security Best Practices

Home
Industry Insights
Application Security Best Practices

Blog Article Published: 01/10/2022

This blog was originally published by Vulcan Cyber here.

Written by Tal Morgenstern, Vulcan Cyber.

Forget whatever business you think you’re in. As Microsoft CEO Satya Nadella announced in 2019, every company is a software company, creating digital assets like applications and websites. That means application security best practices must be front and center for every single company, no matter what industry they operate in.

If you’re creating and benefiting from digital assets like applications and websites, you need to know that these assets also leave you and your users vulnerable in new ways.

In this post, we’ll examine some of the ways in which building your own applications puts you and your users at risk. We’ll then look at application security best practices that will make it easier for you to find and fix application security weaknesses before they affect your users.

Homegrown Vulnerability

In the traditional process of vulnerability management, it was the vendor’s responsibility to release patches for IT vulnerabilities through operating systems and software. Third-party researchers would discover vulnerabilities, which were uniquely identified as common vulnerabilities and exposures (CVEs), and vendors would roll out fixes either according to a set schedule or on an emergency basis.

Originally, fixes were handled manually by IT without any automation, since there weren’t many vulnerabilities to be resolved at a time. This may have worked fine 10 or 20 years ago. But since then, especially, with today’s highly distributed networks and the range of modern threats online, many companies are already strained to the limit trying to keep up with the burden of staying ahead of cyber hygiene.

On top of this, the additional complexity of developing your own web applications removes those traditional layers of protection entirely. There’s no longer a vendor site to download a patch; finding and fixing vulnerabilities is entirely up to you. Even the most skilled developers may not realize their code has left you vulnerable. And they may not have a strong process in place for testing security, discovering vulnerabilities, and releasing patches for your homegrown applications.

What kind of vulnerabilities are found in homegrown web applications? According to the Open Web Application Security Project (OWASP), which curates a list of the top ten web application weaknesses, major problems in your code can include:

  • Injection flaws, where user data can be passed directly to the application and potentially executed by the server
  • Authentication flaws, where users with bad credentials can gain unwarranted access
  • Sensitive data exposure, where confidential data can be transmitted to unauthorized users

These weaknesses are inherently difficult to address, both because you need to discover them before you can remediate them and because while classic, vendor-driven vulnerability remediation revolves around a model of consistent risk, application security is more dynamic in nature. This means it presents more inconsistencies and can be more difficult to remediate.

And because these are weaknesses that have been essentially created by your developers (inadvertently), this means they require a completely separate remediation process from vulnerabilities in your infrastructure layer.

Finding & Fixing Application Security Weaknesses

To eliminate application security weaknesses, your development team needs to be able to fix the source code. But before they’re empowered to do that, your organization needs to adopt a security-first mindset in which vulnerability remediation is a fully-aligned piece of the business risk picture.

These days, everyone’s talking about breaking down silos, but not every business has acted on that ideal. In the case of application security, however, it’s urgent for the security of your business that development and security join forces at every stage to find and remediate common code security problems in your own applications.

Developers alone may not understand the risk. And security may not see development as part of their responsibility. So here are a few application security best practices that will help your teams communicate and collaborate around vulnerability remediation in homegrown software and web applications:

Assess and contextualize business risk:

Unlike with the CVE model, when CWEs are discovered on your site, you’re alone and lack a ready-made patch to fill in the gaps. Work across departments to understand the impact of risk and prioritize the fixing process.

Build collaboration:

Finger-pointing is unproductive. It’s not enough to say that CWEs are generally the result of poor coding practice. Nor is pushing the problem solely back on developers going to get things fixed better. Instead, provide your developers with the understanding and tools required to build more secure code, and collaborate in a common language.

Maximize business continuity:

While remediation certainly takes a high priority, it’s essential for all departments to understand the importance of not breaking live products, meaning those already running in production. Ideally, you can put systems in place ahead of time to automate and streamline internal product patches so the transition will be as smooth and seamless as possible.

Security That Pivots

Today’s business world is moving faster than ever. DevOps and agile methodologies have become popular because they allow you to pivot on a dime, adapting your business to respond to user needs—and also adapting to security concerns as they surface.

Security teams need to be able to keep up with the constantly evolving threat landscape and compliance requirements that are becoming more and more demanding. As part of this, you need to start implementing application security early on in the development process to avoid last-minute testing and code clean up. Though 71% of CISOs say they can’t guarantee there are no vulnerabilities in their code before it goes to production, you don’t want to be deploying patches to software that’s already been released.

About the Author

Tal directs Vulcan Cyber product strategy and manages the team responsible for building the industry's only vulnerability remediation orchestration platform. Tal co-founded Vulcan Cyber after spending years as architect for cyber security companies Cyberbit, Elbit Systems, and Comsec.
Risk ManagementVulnerabilities

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Enhance your cloud security skills with CSA's online training options.
Related Articles:
The Data Security Risks of Adopting Copilot for Microsoft 365

Published: 04/16/2024

From Gatekeeper to Guardian: Why CISOs Must Embrace Their Inner Business Superhero

Published: 04/15/2024

Remote Code Execution (RCE) Lateral Movement Tactics in Cloud Exploitation

Published: 04/12/2024

Cloud Gaming and Data Security: Balancing Fun and Privacy

Published: 04/12/2024