- 20 Oct
How to make your application security better and Predictions for Application Security
Security is not an “implied” phenomenon but an explicit one and the same thinking need to Application security.
Application security is one of the most common security requirement any organization has. But in spite of knowing the importance and impact of application security, we find that the OWASP Top 10 vulnerabilities have not changed much in. The top vulnerability still remains the injection attacks even though the process and method to fix Injection attacks have been well defined and documented. What does this indicate? It indicate the lack of awareness of these vulnerabilities and even more importantly the lack of understanding of how to fix these vulnerabilities.
How do organizations address this challenges?
Here are my thoughts:
Firstly, a culture of Secure SDLC needs to be built in. Securing your SDLC is a continuous process and not a one-time activity. Secure SDLC processes would give you the confidence in your applications to be ready to face both external and internal threats. Secure SDLC processes demand that security is addressed at all stages of a typical SDLC. For a more detailed understanding of how to put a culture of Secure SDLC, please refer to my earlier post on my blog at http://www.sacumen.com/blog/secure-your-sdlc/. Question to answer: Do you ensure that the security requirements are captured and documented in detail in your Requirements document?
Secondly, you need to define an Application security maturity model that helps to identify the level of maturity you are currently and the targets you would like to set during a defined timelines. OWASP Application Security Verification Standard (ASVS) is one such fantastic framework that helps to evaluate your application security controls against well-defined verification requirements for various levels. Such framework will not only serve as metric for you to measure the effectiveness of your Application security but also bring the required focus and clearly defined goals for both your Development and Testing team to target for.
Thirdly, you need to provide the right tools and knowledge for your developers to ensure that Security is taken care of during the development phase. Developers already face tremendous pressure to deliver the functionalities and they may not have the motivation and time to ensure that security is addressed. What if you provide them proven reusable libraries that help you to fix those vulnerabilities? OWASP ESAPI is one such useful library to bank on.
Finally, a continuous evaluation of Application security for your applications by third-party agencies will be needed to ensure an unbiased evaluation of applications.
The above 4 needs to executed as part of Application security program and not in isolation so that you have tangible outputs coming out and you know how secure is your application.
My predictions for Application security for next 5 years:
1. Move to a Unified Automated Application Intelligence Platform:
Organizations will reduce the reliance on Development team to address their application security requirements and move towards tools that will automatically detect and give a befitting response to security threats and vulnerabilities. Already there are various tools in usage such as WAF (Web application firewall), RASP (Runtime Application Self-Protection), IAST (Interactive Application Security Testing). These tools address the various sections of vulnerabilities in its own manner. We will gradually move to one unified Application Security framework that will ensure that your response to application security threats and vulnerabilities are taken with end-to-end context taken into consideration so as to effectively apply Application Intelligence.
2. Move to a Standardized Application Infrastructure:
With Mobility transforming our lives and IoT poised to make our lives even better, we are approaching towards a pretty complex heterogeneous Infrastructure environment. With the fast paced growth of multiple networking protocols and messaging formats, organization will need to plan for putting one standardized Infrastructure capable to address current and future requirements. I strongly think that API Management platforms will move from a luxury to a necessity to address these challenges. APIs will be your products and the mode of communication between Machine to Machine, Human to Machine and Machine to Human. API Management platforms will also communalize the standard and evolving application security controls and provide for application security guard in an automated manner. Also it will provide the required scalability to manage the High traffic.
These are my thoughts and predictions. I would love to hear your thoughts on this space!
About my company:
“Sacumen is a Security Product Engineering and Services Company. Sacumen was born to address the pressing need of Enterprises and Product companies looking for a trusted, focused and niche Security services partner to help them develop innovative security products and solutions. Sacumen is focused on providing services to develop innovative solutions in the areas of Identity and access management, Application security, API Management and security, Authentication, and Security product engineering. You can get more details at www.sacumen.com”.
About the Author:
Nitesh carries a deep passion for the information security space. Nitesh is the Founder and CEO of Sacumen, a focused and niche Security Product engineering and Services Company. Nitesh has spent more than a decade in the Security space and carries multiple prominent security certifications such as CISA, CISM, CGEIT, CISSP, CSSLP, CEH, ISO 27001 LA, CCSK and HCISSP. Nitesh is on a mission to transform the perspective of IT security from a FUD (Fear, Uncertainty and Doubt) perspective to having IT security being harnessed as an enabler and differentiator.
Sacumen is a Security Product Engineering and Services Company. Sacumen was born to address the pressing needs of Enterprises and Product companies looking for a trusted, focused and niche Security services partner to help them develop innovative security products and solutions. Sacumen is focused on providing services to develop innovative solutions in the areas of Identity and Access Management, Application security, API Management and security, Authentication, and Security product engineering.