For every business that relies on the web application to run the business, especially in the eCommerce space, the software behind the business app remains at the center of everything they do to drive revenue and growth. Although there are other aspects of security that need to be taken care of, securing the most important asset – an external facing web application is paramount. However, if they don’t secure from the get-go then it’s destined for a catastrophic security failure impacting business continuity.
The onus of implementing a robust app security and privacy by design framework lies with Infosec, however, once the setup is completed and the program is jump-started, the responsibility to maintain compliance lies with the engineering team that owns the app.
App security in the cloud-native environment is expected to follow the agile methodology of continuous integration of code and continuous delivery of product features leveraging the unfettered power of today’s cloud computing. This proactive defensive security strategy when implemented successfully will help companies rest assured that the cost of reactive security could be at the minimum. Companies that recognize the importance of app security and invest their resources in this aspect will not only be able to avoid cost on the reactive security but also will remain a model for the industry.
Why App Security is So Critical
According to Gartner, spending on application security will more than double in the upcoming years and grow from $6 billion to $13.7 billion by 2026. Spending in this sector is the second-fastest growing segment of the market, projected to grow at a CAGR of 22.7% between 2021 and 2026.
Attacks against web applications are a growing threat, putting businesses at risk of malware, denial of service, data leaks, misconfiguration exploits etc. Some of the key vulnerabilities in this category are Cross-Site Scripting (XSS) , Cross-Site Scripting Request Forgery (XSRF), SQL injection etc. Refer to OWASP Top 10. https://owasp.org/www-project-top-ten/
Maintaining a good app security posture requires adopting a project management mindset covering the key phases—plan, design, build, release, and maintain as the organization embarks on Secure Software Development Lifecycle (SSDLC)
Selecting the Right Toolset
When it comes to selecting the right tool for implementation there has always been a competitive market out there for scan tools that overlap with functionalities, so it’s prudent to apply proper due diligence in terms of identifying the right tool to do the right job.
Following are the key elements of App security program that need to be performed as an integral part of secure software development.
Threat Modeling
This is one of the key elements of SSDLC which helps detect all potential threats, security issues, and vulnerabilities, and based on those, define techniques or countermeasures to prevent, tackle and mitigate them.
Static Application Security Testing (SAST)
It’s a white box testing, which scans the source code for any security vulnerabilities before the compilation of code.
Dynamic Application Security Testing (DAST)
It’s a Black Box Testing, which scans for vulnerabilities in an application while on the run time., DAST tools perform automated scans, simulating various attacks to detect vulnerabilities and areas of improvement.
Software Composition Analysis (SCA)
Identifies Risks in Open-Source Packages. SCA tools identify all open-source packages in an application and all the known vulnerabilities of those packages.
Secret Detection in Code
This scan detects secrets like keys or API tokens to Git repositories that may be accidentally committed.
Benefits of Application Security (CI/CD Security)
Microservices applications are composed of many components, each of which could be managed by different teams and has its own development lifecycle.
Unlike a traditional monolithic app, microservices-based architecture consists of dozens or hundreds of pipelines, and the following are the benefits of CI/CD security.
- Helps dev teams plan releases properly, making it easier to catch and address issues that arise that could affect the release timeline. Secure Software Development Lifecycle (aka SSDLC or CI/CD security) helps keep releases on track.
- SSDLC at its core has security efforts led by developers, hence it empowers developers to take ownership of the overall quality of their applications, which leads to more secure applications being deployed to production.
- The availability of a plethora of specialized scan tools has led to seamless automation of the people (engineers, devops, infosec), process, and technology.
- By fixing the issues early in the process (proactive), development teams can reduce the total cost of ownership of their applications. Discovering issues late in the SDLC can result in a many-fold increase in the development cost needed to fix those issues (reactive).
A successful app security program is one that knows how to measure and report and keep track of progress. The following KPIs will help the org manage their Cloud Native Security Posture.
- Unit testing – measured in terms of code coverage percentage.
- Code review – performed by peer or tech lead before merging to the main branch.
- Continuous integration – make sure the build pipeline is executed from code commit, to build to quality scan (SAST, DAST, SCA, Secret detect) to deploy, within the same day or two.
Many companies struggle to present these metrics in such a way that each of these is derived and presented for quarterly CIO/ leadership review. The security team sets the baseline for each quarter. It might be difficult to showcase a higher score right away. However, the app team can start small, as they go through the learning curve over a period of time, it becomes natural for them to self-report. Leadership will certainly appreciate when presented with a unified reporting of various key security metrics in a single pane of glass for each service.
