By Akanksha Yadav | May 14, 2020
Modern Businesses run on Applications. The application and its underlying data are what is critical and what matters to organizations. The IT infrastructures, defense solutions and other pieces of the puzzle are just meaning to securely run, store and make use of those applications and their data. So, it should be no surprise that of all the assets exposed on the internet, applications are the No.1 target for breaches. According to Gartner, the enterprise application market is expected to cross $300 billion by 2023. With more than 5 million apps on Google Play Store and Apple App Store combined, and thousands of web applications being developed daily across the globe, the count will only increase.
As per the latest Software Security Report by Veracode, on testing of around 250 billion lines of code worldwide, 70% of all apps had at least one vulnerability classified as OWASP Top 10. Furthermore, it is interesting to note that around 84% of all security breaches target the application layer and these attacks are growing by more than 25% annually.
The approach to secure the applications depends upon the type of applications we are dealing with and the kind of risks it may involve. In broader terms, we can divide the applications hosted in the datacenter into two categories: custom applications and third-party enterprise applications.
When we talk about custom applications, the biggest reason for security failure is the lack of involvement of the security professionals in the application development process. This may lead to the development of applications that can have serious security flaws and can put the entire company at risk, despite huge investments in other security technologies.
In custom applications, the risk can develop at three different stages: during Development, during testing and during its deployment and operations. The best way to secure these applications is to work across the entire lifecycle of an application, including its design, development, test, release and upgrade.
The biggest challenges here are the flaws in architectural design. Badly designed applications are easiest to compromise and involve poor coding, buffer flows and lack of data encryption. Indiscriminate use of open source code, outsourcing code development without vetting, poorly chosen security approaches and negligence for security testing during coding are the key reasons for failure during the development phase. Organizations should move from traditional SDLC Models towards the more agile techniques of DevOps. Further, not testing the applications in run time is another loophole. We should look for tools such as Static Application Security Testing which analyses the application source code to determine if security vulnerabilities exist, during its development itself. These solutions look at the application ‘from the inside-out’, without needing to compile the code, by integrating directly with the IDE or tool where code is being written. Tools such as DAST find the vulnerabilities in applications while they are running in production. This can be of great use, as it has the ability to simulate attacks on production systems and reveal the complex attack patterns that criminals may use to find potential weaknesses.
Now, once you have secured the design, development and testing of your applications, the next big thing is to keep it running protected in production. In the deployment phase, not keeping track of the web perimeter, or knowing what web apps you have active, can be dangerous.
Organizations should consider App shielding tools to protect against this vulnerability. For instance, the Web Application Firewall or WAF is one of the most crucial components in the security strategy of any company today. A WAF provides complete coverage for OWASP Top 10 vulnerabilities and provides real-time protection to your applications. It also provides Bot Defense, DoS Protection, Credential Protection, and advanced security features like behavior analytics. These deployment considerations should be kept in mind for both custom Apps and third-party enterprise apps.
Both custom-built and third-party apps should be integrated with an identity and access management solution to enable deployment of stronger authentication measures. Furthermore, active use of services like Penetration testing to penetrate the app defenses and identify bugs in the applications are also recommended.
The time is now for companies to think beyond identifying common application development errors and protecting against common attack techniques. We should also remember that the security of applications is as good as the security of our underlying infrastructure. We must adopt a holistic approach that takes a layered and distributed defense strategy comprising of multiple security processes and tools for every stage of the application lifecycle and integrates them with other layers of the organization’s current security posture.