There’s a screenshot making the rounds on social media these days. You know the one:
Whether your company is a digital transformation leader or follower, you’re most likely undergoing a massive transformation in how your employees and teams work.
If you were still using on-premise software until a few weeks ago, you’ve most likely been forced to shift to cloud-based web applications to enable remote work, just like everyone else. But while you’re dealing with changing processes and legal aspects, there’s another issue brewing beneath the surface: the need to secure the apps you’re using and developing.
Because the conditions in the business environment are changing so quickly, companies like yours have to keep up. But “move fast and break things” – a motto many startups live by – is a dangerous and risky approach.
Why secure app development is a a must-have
Let’s look at some numbers.
Reports show that organizations use, on average, 765 different web apps.
When devs build and integrate more software faster, the volume of security vulnerabilities grows exponentially. This increases the attack surface, increasing the potential for cybercriminal exploitation.
Statistics show companies need more help than ever to ensure the applications they develop and use meet global security standards:
90% of active applications had a known vulnerability in Q2 2018 – TCELL Security Report for In-Production Web Applications
86% of tested applications had one or more session management vulnerabilities – 2018 Trustwave Global Security Report
30% of active apps had at least one critical vulnerability in Q2 2018 – TCELL Security Report for In-Production Web Applications
1 in 3 companies suffered or suspected a breach caused by web app vulnerabilities in the last 12 months – 2018 DevSecOps Community Survey
56% of executives had to change public-facing apps monthly to address security threats – Radware’s 2018-2019 Global Application & Network Security Report
Developers outnumber security specialists 100:1 – 2018 DevSecOps Community Survey
These numbers paint a painful – and dangerous – picture.
But don’t get discouraged: developing secure apps is doable and we’re here to help with practical guidelines and resources.
Where to start
Whether they have infosec experience or not, the developers on your team can train themselves to make code security an important step in your Software Development Life Cycle.
Develop top 3 worst-case scenarios. Get the product owner/manager involved to ensure everyone understands the business value involved.
Define the potential impact of these doomsday scenarios in a way that translates technical risk into business risk. Think of the chain reaction an application vulnerability can trigger: vulnerability > malicious exploit > data breach > legal disclosure > GDPR fine > brand reputation damage.
Prioritize risks to focus on vulnerabilities that can trigger these worst-case scenarios to make sure your team works on the right priorities.
Define and document how the application interacts with other assets (applications, business flows, etc.). Create a data flow diagram to create clarity and a shared understanding of the risks.
Identify and prioritize trust boundaries. To make sure you can accurately define when a trust boundary is crossed, you can use the STRIDE threat model. The name is an acronym that stands for:
- Information disclosure (privacy breach or data leak)
- Denial of service
- Elevation of privilege.
Based on the worst-case scenarios you developed, you can leverage this model – or others – and various tools used for development to track bugs during development and fix them before they turn into vulnerabilities once the app gets released.
In the simplest possible terms, ask yourself these 3 questions recommended by infosec specialist Adam Shostack (part of Microsoft’s Security Development Lifecycle strategy team):
- What are you building?
- What can go wrong?
- What are you going to do about it?
Other tactics you can explore to find security issues in your apps include:
- Static code analysis
- Fuzzing or other forms of dynamic testing and code review
- Penetration testing
- Post-release bug reports
- Threat modeling.
These vulnerability discovery tactics can identify security flaws affecting:
- Authentication & Authorization
- Access Control
- Session management
- Data validation
- Security Configuration
- Error handling
- Business Logic flows, and more.
As you can see, the list is long and full of potential risks for the business side of your company which is deeply influenced by the tech you build and use – and how you build and use it.
Application security best practices
If you don’t have a formalized process for building security into your SDLC (Software Development Lifecycle), there are plenty of models, principles, and best you can follow, with online resources galore to support your developers.
Some of these best practices include:
- domain separation
- making sure each phase in the SDLC has a corresponding security activity
- leveraging reference models of mature practices (Capability Maturity Models) to identify potential areas for improvement
- strong authentication/authorization, and the list can go on.
Throughout this entire process, remember that developers aren’t infosec experts. Despite their best intentions, they often lack the time or inclination to fix all the security holes before the app’s release date.
Most developers (or at least 48% of them) know that writing secure code is important but they can’t find the time for it.
Be mindful of their work and effort, and set realistic expectations around what – and how long – it will take to make security a part of the SDLC.
Building new apps is not the only time when you need security-focused code reviews. You should conduct (or contract) a security code review when:
- you make significant changes to your code or you introduce new features
- at least once per business quarter
- each time you introduce new apps into your system.
No time? No internal resources? No problem!
If you don’t have the internal capabilities to do security code reviews and detect and fix vulnerabilities early, you can hire independent security engineers to do it for you.
Working with a trusted partner can also help you save time and money – on the spot and down the road – when:
- You have to tackle specific application security issues and lack the expertise to do it internally
- You need to onboard highly specialized threat intelligence to deal with code reviews in complex environments
- You want to implement controls that are most effective for your company’s context
- You seek to enlist powerful security tools and need highly trained security specialists to verify they’re implemented correctly.
For example, our team can perform effort-intensive and professional:
- Mobile Application Code Reviews for both Android and iOS
- Software Application Code Reviews for apps written in C/C++, .NET, C#, Delphi and more.
To ensure we effectively discover and mitigate security issues in your code, we combine meticulous manual reviews with automated application security analysis. This helps filter out false positives and uncover design and architecture errors and flaws automated tools cannot spot.
No matter if you choose to keep app security in your team or enlist the help of an experienced partner, security code reviews protect your applications against a wide range of threats:
- Cross-site scripting (XSS)
- Session hijacking
- API vulnerabilities and attacks
- Malicious code injection
- Abuse of functionality
- Brute force
- Protocol abuse
- DNS cache poisoning
- Command injection
- TLS denial-of-service
- Sensitive data exposure
- Remote code execution
- Privilege escalation attacks
- Exploitation of known vulnerabilities
- Input validation errors or failure to sanitize / properly validate user input
- Lateral movement attacks
- Business logic flaws.
The benefits overflow into your business processes and performance. Good application security prevents:
- Customer revenue loss
- Productivity decline / impact
- Regulatory fines
- Contractual damage
- Repair, replacement, and remediation costs
- IT and security response costs
- Loss of competitive advantage
- Loss of reputation / customer confidence
- Downtime costs
- Business disruption
- Sensitive data exposure, and a lot more!
Resources your developers will love
- John Opdenakker’s list of appsec learning resources
- Application Security Risk calculator
- The OWASP SAMM (Software Assurance Maturity Model) framework
- The SAMM community on Slack or Google Groups