Organizations usually start paying attention to application security when they’re in a reactive mode. Once something happens involving their firm’s security stance, security becomes a high priority. As application security becomes an increasingly hot topic, and for good reason (as attacks are spreading like wildfire these days), organizations should transition their security strategy to a more proactive approach, getting ahead of the bad guys.
To understand how to transition from a reactive to a proactive approach, firms should consider a strategy set out to define proper policies and standards, build security into the application over a secure software development life cycle (SDLC), measure and improve on application security efforts of the organization.
Applying a proactive approach to application security is usually strategically anchored around a software security initiative (SSI). The purpose of establishing a SSI is to keep your business goals aligned with security best practices, garnering support from an organization’s leadership. A SSI also guides an organization to establish security policies and security standards which support and guide development, testing, operation and design metrics (allowing a firm to measure results, improvement and maturity).
A selection of firms were asked by PCI auditors to perform scanning on their applications which required PCI compliance. The companies within that group who weren’t yet compliant had to approach a very rushed, unpleasant process to secure their applications in order to meet minimum compliance standards. That’s how reactive application security works. In some more unfortunate examples, firms begin taking steps to secure their applications once they’ve been hacked and sensitive data has been compromised.
As more and more sensitive data breaches show up in the news, many companies are beginning to realize the importance of a proactive approach to application security. For application security to be effective and sustainable, a proactive approach is by far the best strategy.
Here are four signs that your organization should strategize a proactive application security approach:
Security policies allow companies to capture their security requirements and objectives. Security standards such as secure coding standards, data protection standards and encryption standards capture software security best practices. They help companies manage security risks in a repeatable and proactive manner. Without proper security policies and standards in place, different parts of an organization can do application security their own way. That makes consistency and quality hard to achieve.
Do you know which applications requires in-depth risk assessment and which ones only need basic coverage? Do you know which projects require a thorough analysis, conducted by security architects, and which ones only need quick review checkpoints? A risk-based portfolio view of the application portfolio can help you allocate your security resources effectively.
Penetration testing is an effective security activity to identify application defects such as cross-site scripting, SQL injection and cross-site request forgery. However, it is not effective in discovering design flaws; and because it is a late cycle activity in the SDLC, the development team can resist fixing the bugs to meet the go-to-market launch date. A proactive approach is to build security in the software throughout the SDLC so any design flaws and gaps can be identified early and fixed in a timely manner via activities such as secure design review, threat modeling or architecture risk analysis.
The development team is responsible for delivering a software product. In order to build secure software, each project team member should be equipped with relevant security knowledge. Role-based security training provides relevant training that is targeted and useful to a particular role, whether that is the architect, developer or tester.
Proactive application security uses policies and standards to manage security risks and apply security best practices consistently across the organization. It adopts early cycle activities such as security requirements, secure design review and architecture risk analysis to effectively ensure that security is built into the application throughout the SDLC. This strategy guides the organization to allocate security resources in order to effectively manage application portfolio risk. The effectiveness of proactive application security can also be measured and improved upon using proper metrics.