Why You Need Application Security Testing for Business-Critical Applications

This blog was originally published by Onapsis here.

This blog is about the importance of building secure business-critical applications with application security testing. While many organizations employ defense-in-depth security models to protect their critical systems, not enough consideration is given to the security of the code used to build the applications. An exploit of a vulnerability at the code level can allow an attacker to execute a wide range of malicious activities, including impacting supply chains and manufacturing processes, or compromising sensitive data.

Speed is the driving force behind application development. However, releasing or updating applications in record time often comes at the cost of security in development. As companies innovate and digitize operations, this brings new ways to exploit vulnerable applications.

Balance Security With the Speed of Development for Digital Transformations

Digital Transformation

Although digital transformation projects have been implemented over the last decade, these last two years have accelerated the digitization of customer and supply-chain operations. The urgency of these changes favored speed over security, and has consequently left the applications organizations rely on for day-to-day business at risk.

Digital transformation projects need to be executed quickly, ensuring business continuity and timely project completion. However, it can be challenging to meet these project timelines and develop the custom code behind the applications quickly and securely. Rushed application development processes can mean the creation of vulnerabilities within custom code, either due to the lack of time to implement security into the process or from teams completely skipping a lengthy manual code testing process. These unaddressed issues can disrupt operations and interfere with the ongoing delivery of updates.

Cloud Migration

Digital transformation projects like moving business-critical SAP applications to the cloud involves a business’s most important assets, to minimize the risk of downtime and ensure applications in the cloud will continue supporting the business, without interruption. While SAP has traditionally been run on servers residing on premises, many organizations are moving SAP to the cloud for scalability, resiliency, and ease of interoperability with other systems. Migrating a business-critical application to a third-party hosted cloud can mean vulnerabilities within the applications are migrated along with the application due to the lack of time to implement security into the process. Security needs to be taken into consideration since increasing interconnectivity between on premise and cloud environments as well as between internal and third-party systems increases risk. Organizations should address these vulnerabilities and compliance issues before the migration. This way, the organization can be confident that their applications are as secure as possible before the move and that they are maintaining compliance throughout the project.

Building Security into the Development Process

Application security testing enables organizations to build security into development processes to find and fix issues as quickly as possible. But, the challenge around application security testing for SAP is due to the lack of tools that can be used with SAP systems. In addition, for most organizations, security testing for SAP applications means manual security reviews, and with the average SAP system containing over two million lines of code, this isn’t practical.. Given how time consuming these processes can be, there is potential for security due diligence to be rushed or skipped altogether in the interest of getting the project completed on time. This means businesses are developing SAP custom code and applications that may contain many errors, potentially resulting in costly downtime and disruption to their business.

According to a Ponemon study, more than half of respondents report that there is no or limited collaboration between development and security teams1 and only 43% of organizations are making it a point to ensure security is emphasized in the development of new applications2. It is clear that security is often an afterthought, put in late into the development process, or not thought of at all. With DevSecOps, everyone in the software development life cycle is responsible for security. The concept is that the earlier security is inserted into the development process the earlier issues will be resolved and code will be developed faster and “cleaner” leading to faster development times and more secure applications.

Read Part 2 of this blog here.