Today's enterprises are struggling to secure their applications. With thousands of applications in use and new threats emerging daily, large organizations face a monumental task. Compounding matters is the fact that many IT security professionals say their employers aren't investing enough in application security relative to other cybersecurity efforts.
And the problem is big — particularly enterprises that develop (or customize) applications in-house.
For its 2017 State of Software Security report, CA Veracode drew on data from 40,000 tests of 250 billion lines of code in 2016 and 2017. It found that 77 percent of the custom applications scanned contained at least one vulnerability during their initial scans.
With so many vulnerabilities just waiting to be exploited, it's unsurprising that the SANS Institute 2017 State of Application Security report found that 15 percent of organizations surveyed had experienced a breach related to an application vulnerability over the past two years. In addition, another 21 percent weren't sure but thought they might have experienced an application-related breach.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
For most enterprises, even one breach is too many. According to the Ponemon Institute, the average cost of a data breach is $3.86 million or $148 per record stolen. And the damage to an organization's reputation and brand can be incalculable.
Clearly, application security is a critical concern for enterprises.
What is application security?
Several organizations have crafted definitions of application security. One of the easiest to understand comes from vendor CA Veracode:
Application security, or “AppSec,” is what an organization does to protect its critical data from external threats by ensuring the security of all of the software used to run the business, whether built internally, bought or downloaded. Application security helps identify, fix and prevent security vulnerabilities in any kind of software application.
Essentially, application security is all about preventing cyberattackers from exploiting bugs in any software that an organization uses.
An enterprise's AppSec team, then, is focused on finding and patching those bugs. Vulnerabilities can occur in nearly every kind of software, whether it comes from a third-party or was developed in-house, whether it resides in the cloud or in the company's data centers, and whether users access it via a PC, mobile device or the Web.
Security requirements for application software types
The kind of measures an AppSec team takes to secure an app depends on the type of application involved and the relative risk. For example, public-facing Web applications with mission-critical or customer data are at a high risk and should be protected by stronger security measures than an internal, non-Web-facing application that doesn't contain any sensitive data. Some of the most common types of application software that AppSec teams will need to secure include the following:
Organizations will need to take different security measures for applications that run on-premises depending on whether they are third-party or custom applications.
For third-party applications, experts recommend the following:
- Remediation process: Organizations should establish a process for remediating or mitigating application security vulnerabilities. This should include an inventory of all applications in use at the organization, a way to track known vulnerabilities and patches, and a method for applying patches such as patch management.
- Identity management: Experts also advise that enterprises consider a unified identity management solution that requires the use of strong passwords. According to WhiteHat Security's 2017 Application Security Statistics Report, 81 percent of hacking-related security breaches leveraged weak or stolen passwords.
- Infrastructure security: It's also worth noting that applications are only as secure as the infrastructure and networks on which they run. Security teams need follow industry best practices such as deploying firewalls, intrusion detection and prevention systems, and other security solutions.
For custom applications, organizations will need to take quite a few additional measures, such as the following:
- Application security testing: According to the CA Veracode report, 52 percent of enterprises sometimes do AppSec testing, but most don't consistently test every app. In fact, "83 percent of organizations have released code before testing or resolving security issues." That's unfortunate, because the report also found that application security testing increased the number of applications that pass the vulnerability scan by 13 percent. Gartner has predicted that the number of enterprises doing AppSec testing will increase. In a Magic Quadrant report, it said, "By 2019, more than 50 percent of enterprise DevOps initiatives will have incorporated application security testing (AST) for custom code, an increase from fewer than 10 percent today."
- Developer training: That CA Veracode report also found that “Developer training has an essential role in reducing flaws. eLearning improved developer fix rates by 19 percent; remediation coaching improved fix rates by 88 percent.” However, to date, enterprises have not been paying a lot of attention to training their programmers on secure development practices. In fact, 86 percent of those surveyed said their employers weren't investing enough in application security training.
- DevOps and DevSecOps practices: With their focus on continuous testing and spreading responsibility for security throughout an organization, DevOps and DevSecOps approaches have helped organizations improve their application security. While the data isn't yet definitive, several reports have found correlations between DevOps and Agile practices and improved application security.
- Maintain an open source code inventory: Today, most enterprise application development teams leverage open source code in their custom applications, but few of them review that code later on to patch any vulnerabilities that have come to light. In fact, the CA Veracode found that 88 percent of the Java applications tested were using at least one component that has a known vulnerability. In addition, only 28 percent of organizations said they do any kind of composition analysis to see which open source code they are using. If you don't know what code you've used, you probably won't patch it when a vulnerability comes to light.
Applications that run in public or private clouds introduce additional security risks above and beyond those associated with on-premises applications. In addition to the measures outlined above, cloud apps merit the following:
- Cloud application management: Experts say that organizations should invest in monitoring tools that can help them detect which software-as-a-service applications their employees are using. Otherwise, vulnerabilities can creep into the corporate environment through shadow IT. A cloud application security broker (CASB) is one such tool, and next-generation firewalls (NGFWs) have begun to add SaaS application monitoring tools.
- Due diligence: Before using a particular cloud vendor, organizations need to investigate the security measures the vendor has in place. They need to ensure that the cloud environment will meet their compliance needs and provide adequate security for corporate and customer data. If the vendor has any gaps in its security measures, the enterprise needs to be prepared to step in with additional security precautions to bridge those gaps.
- Encryption: Any cloud-based apps should encrypt data both in transit and at rest. Otherwise, any data that flows across the public Internet on its way to or from the cloud service could be vulnerable to interception. In addition, cloud data centers represent a valuable target for hackers, so organizations need to make sure that attackers can't read any data they get off cloud-based infrastructure, even if they do manage to breach the vendor's security.
- Strong authentication: Because cloud apps are accessed over the Internet, anyone can access them if they have the right authentication. For this reason, most experts recommend two-factor authentication, at a minimum, to protect cloud applications. Organizations may also want to consider using a unified, cloud-based identity management solution to authenticate users to both cloud-based and on-premises applications.
Like cloud apps, mobile apps pose their own risks to the enterprise. In addition to the usual steps for on-premises applications, organizations should take the following steps to secure mobile apps:
- Mobile management software: In the same way that organizations need to control which cloud apps their employees are using, they also need procedures and tools for monitoring and managing mobile apps, whether they are on employer-purchased or shared devices. Some organizations take the step of setting up an enterprise app store that includes whitelisted apps that are approved for work use. One comprehensive way to approach mobile security is enterprise mobility management.
- Mobile behavioral analysis: Similar to user and entity behavioral analysis (UEBA) solutions, mobile behavioral analysis tools look for signs that apps are engaging in risky or malicious behaviors. They can then flag suspect apps so that IT can take appropriate measures.
- Encryption: Many organizations are developing their own mobile apps, and if that is the case, they need to make sure the apps encrypt data in transit and at rest, just as they would for cloud apps.
- Strong authentication: Again, much like cloud apps, most mobile apps should have two-factor authentication or other strong authentication measures.
- Limited permissions: Any custom mobile apps the enterprise creates should require only the permissions necessary for the app to function properly. This helps reduce the security risk posed by the app while also reassuring app users.
Experts generally consider Web apps to be the most vulnerable of any of the types of application software. These applications require very stringent AppSec measures, including the following:
- Penetration testing: In penetration testing, "white hat" hackers attempt to penetrate the defenses of a Web application. Enterprises can hire pen testing experts or set up a bug bounty program to reward security researchers who identify bugs in the applications. This is one of the best ways to find vulnerabilities within Web apps.
- Web application firewall (WAF): Web application firewalls sit in front of the servers hosting Web apps, where they monitor and filter Internet traffic. They can protect against common types of attacks, such as cross-site scripting and SQL injection.
- DDoS protection: Web applications are vulnerable to distributed denial of service (DDoS) attacks that attempt to overwhelm the Web servers with a flood of traffic. There are a number of ways organizations can protect themselves, including DDoS protection solutions.
- Strong authentication: Again, multi-factor authentication can help to ensure that only authorized users are getting access to sensitive data.
- Encryption: As with other types of Internet-facing apps, data should be encrypted in transit and at rest.