Application Security Best Practices
This blog was originally published by Vulcan Cyber here.
Written by Tal Morgenstern, Vulcan Cyber.
Forget whatever business you think you’re in. As Microsoft CEO Satya Nadella announced in 2019, every company is a software company, creating digital assets like applications and websites. That means application security best practices must be front and center for every single company, no matter what industry they operate in.
If you’re creating and benefiting from digital assets like applications and websites, you need to know that these assets also leave you and your users vulnerable in new ways.
In this post, we’ll examine some of the ways in which building your own applications puts you and your users at risk. We’ll then look at application security best practices that will make it easier for you to find and fix application security weaknesses before they affect your users.
In the traditional process of vulnerability management, it was the vendor’s responsibility to release patches for IT vulnerabilities through operating systems and software. Third-party researchers would discover vulnerabilities, which were uniquely identified as common vulnerabilities and exposures (CVEs), and vendors would roll out fixes either according to a set schedule or on an emergency basis.
Originally, fixes were handled manually by IT without any automation, since there weren’t many vulnerabilities to be resolved at a time. This may have worked fine 10 or 20 years ago. But since then, especially, with today’s highly distributed networks and the range of modern threats online, many companies are already strained to the limit trying to keep up with the burden of staying ahead of cyber hygiene.
On top of this, the additional complexity of developing your own web applications removes those traditional layers of protection entirely. There’s no longer a vendor site to download a patch; finding and fixing vulnerabilities is entirely up to you. Even the most skilled developers may not realize their code has left you vulnerable. And they may not have a strong process in place for testing security, discovering vulnerabilities, and releasing patches for your homegrown applications.
What kind of vulnerabilities are found in homegrown web applications? According to the Open Web Application Security Project (OWASP), which curates a list of the top ten web application weaknesses, major problems in your code can include:
- Injection flaws, where user data can be passed directly to the application and potentially executed by the server
- Authentication flaws, where users with bad credentials can gain unwarranted access
- Sensitive data exposure, where confidential data can be transmitted to unauthorized users
These weaknesses are inherently difficult to address, both because you need to discover them before you can remediate them and because while classic, vendor-driven vulnerability remediation revolves around a model of consistent risk, application security is more dynamic in nature. This means it presents more inconsistencies and can be more difficult to remediate.
And because these are weaknesses that have been essentially created by your developers (inadvertently), this means they require a completely separate remediation process from vulnerabilities in your infrastructure layer.
Finding & Fixing Application Security Weaknesses
To eliminate application security weaknesses, your development team needs to be able to fix the source code. But before they’re empowered to do that, your organization needs to adopt a security-first mindset in which vulnerability remediation is a fully-aligned piece of the business risk picture.
These days, everyone’s talking about breaking down silos, but not every business has acted on that ideal. In the case of application security, however, it’s urgent for the security of your business that development and security join forces at every stage to find and remediate common code security problems in your own applications.
Developers alone may not understand the risk. And security may not see development as part of their responsibility. So here are a few application security best practices that will help your teams communicate and collaborate around vulnerability remediation in homegrown software and web applications:
Assess and contextualize business risk:
Unlike with the CVE model, when CWEs are discovered on your site, you’re alone and lack a ready-made patch to fill in the gaps. Work across departments to understand the impact of risk and prioritize the fixing process.
Finger-pointing is unproductive. It’s not enough to say that CWEs are generally the result of poor coding practice. Nor is pushing the problem solely back on developers going to get things fixed better. Instead, provide your developers with the understanding and tools required to build more secure code, and collaborate in a common language.
Maximize business continuity:
While remediation certainly takes a high priority, it’s essential for all departments to understand the importance of not breaking live products, meaning those already running in production. Ideally, you can put systems in place ahead of time to automate and streamline internal product patches so the transition will be as smooth and seamless as possible.
Security That Pivots
Today’s business world is moving faster than ever. DevOps and agile methodologies have become popular because they allow you to pivot on a dime, adapting your business to respond to user needs—and also adapting to security concerns as they surface.
Security teams need to be able to keep up with the constantly evolving threat landscape and compliance requirements that are becoming more and more demanding. As part of this, you need to start implementing application security early on in the development process to avoid last-minute testing and code clean up. Though 71% of CISOs say they can’t guarantee there are no vulnerabilities in their code before it goes to production, you don’t want to be deploying patches to software that’s already been released.
About the Author
Tal directs Vulcan Cyber product strategy and manages the team responsible for building the industry's only vulnerability remediation orchestration platform. Tal co-founded Vulcan Cyber after spending years as architect for cyber security companies Cyberbit, Elbit Systems, and Comsec.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.