Application Security in a Cloud First World
What is the state of application security? Why is it neglected?
- Development and quality assurance (QA) are often standalone functions that are not well integrated with information security initiatives or business goals.
- The very people who are developing and testing the software are often not at the table when security features, threat modeling, and compliance requirements are being discussed.
What should be done?
- Critical Infrastructure and Cybersecurity
- Mobile and Network Application Security
- Network Security
- Cloud Security
- Internet of Things Security
Putting it into practice – Adopting a DevSecOps Approach
The adoption of a DevSecOps approach is key for ensuring the security of your application throughout the entire secure development life cycle, as opposed to treating security as an add-on. This “shift-left” approach means every security incident should be resolved as quickly as possible. But before that, security – as a hard requirement in every application, must be baked into the product from as early a stage as possible, rather than it being an afterthought.
- Enable app team to move quicker and security teams to prioritize efforts through shared, actionable real-time application security data.
- Support modern architecture that won’t break production and provide seamless strategic and tactical visibility.
- Provide reliable blocking with no required tuning and no performance degradation.
Roadmap for Application Security
- Perform an application security maturity assessment: Maturity assessments bring forth existing gaps in the security apparatus, risk areas, and threat vectors. These are then provided in the context of the business impacts of risks, scalability, and a security road map to meet business objectives for a given period of time. Armed with this critical information organizations can set forth on their application security journey and define key priority areas.
- Secure Application Landscape: If your applications are hosted in a co-location or data center, make sure that your security strategy includes defense that covers the application layer with WAF, DDoS, Load Balancers, Content Filtering, Network Perimeter Layer security with advanced firewalls, and IPS. Also needed, is strong web security with the proxy that includes a strong underlying endpoint security management system. In order to monitor applications, Identity and Access Management (IAM), SSO & PAM solutions are invaluable that help in the detection of threats in such an event.
- It is also important to have an Application Performance Monitoring (APM) tool for real-time visibility into application services and get visibility of important KPIs. Modern data analytics platforms have the capability to index machine data in virtually any format that can give good insights into the application ecosystem. This is significantly better than that of an APM tool as APM tools are completely blind to network & virtualization layers. Security Analytics platforms can also help map services with KPIs in order to accurately pinpoint ‘where is the problem’.
- Adopt DevSecOps – Use Application Security Testing (AST) tools: Organizations must adopt DevSecOps application security tools that look for known vulnerabilities and classify results. They can be used to identify trends and patterns of attempted hacking attempts; breaches often exploit the application layer to access systems. Additionally, Application Security Tools (AST) are critical for improving application layer security. They help developers test for known vulnerabilities (or programming errors) during the build and release phases.
- Developers have the option of using one of several AST in their CI/CD process including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and Interactive Application Security Testing (IAST). Aligning security testing with agile development, REST API Security, Mobile Application Security and Threat Modelling (Remote, Privacy) are other important ingredients of a robust application security program that must be incorporated in the application lifecycle.
- Don’t merely find vulnerabilities but mitigate or remediate them: Developers must focus on Penetration Testing. Even if code reviews with AST tools are standard practice, there is a possibility of residual vulnerabilities escaping to the production environment. Vulnerability scanning would unearth such loopholes, qualify them if they can be a threat and eventually become a risk. A Penetration Test verifies if these vulnerabilities can be exploited, and new age Penetration Test tools backed by human expertise can greatly help in finding security vulnerabilities in applications that lead to breaches and help in reducing the overall attack surface.
- Benefit from BaaS, FaaS by moving into the cloud: Utilising Baas such as Google Firebase or FaaS such as AWS Lambda solutions reduce the complexity of the backend infrastructure, making it easier for developers to build and release secure code in cloud environments. Such an approach reduces the potential attack surface and mitigates intrusion risks on the application level.
- Adopt the philosophy of Zero Trust Network Access: Organization must move private applications to the cloud and adopt a Zero Trust Network Access approach that helps in eliminating traditional VPNs and passwords, facilitates micro-segmentation of applications, provides application access without network access, masks applications from the internet with outbound connections and provides overall a higher level of security.
Read my detailed blog on ZTNA here https://www.locuz.com/blog-details/Future-of-Networking-ZTNA
- Take application security to the masses: Organizations must invest in training developers on Application Security measures and build security metrics in their KPIs. This is a proven way to incentivize focus on application security and yields excellent long-term results for organizations and developers alike.
- Measure and iterate: Organizations must continually monitor security metrics and iterate their approach to securing the business application layer. This can only be done with robust product instrumentation and a healthy review policy that is driven by the leadership.
- Make a continuous inventory of your development components: Organizations must create an inventory of all components and the versions used in development. This provides an easy way to update a component to the latest version if a vulnerability is discovered or published publicly.