Ryan O’Leary, VP Threat Research Centre at WhiteHat Security, discusses why developers and security practitioners must join forces on application security.
The problem with app security is that new applications often fall outside the control of the IT security team. When the management requires a new application to be built, developers are working to very short deadlines and security is just one item on a very long list of priorities. Any time that is dedicated to finding security issues is often too little, or right at the end of the development lifecycle, meaning that the app is often live once the flaws are discovered. Failure to remediate these flaws quickly can lead to significant data loss, website defacement or denial of service and yet the disconnect between the three key stakeholders often hinders the effectiveness of web application security practices.
The worrying truth is that most websites are vulnerable most of the time. In the time we spend testing tens of thousands of applications, we find that both infrastructure and websites are incredibly vulnerable to attack. We rarely find an application that has no critical vulnerabilities that could lead to a major attack or breach. In addition, companies keep vulnerabilities open for a long time after discovery. According to our research, it takes on average 200+ days to fix software flaws, allowing attackers more than enough time to find the vulnerability and craft a devastating attack.
In today’s online business environment, application security has never been more important. However, effective app security doesn’t just happen overnight, it requires a concerted effort from all parts of the business. Making sure the right information is being shared between developers, security practitioners and the management team is an important component of this, but it can often be easier said than done.
Developers must push for secure coding best practices
The development team are really up against it when it comes to application security. Actionable vulnerability data is seldom available during the actual development cycle. As such, application security flaws often surface too late in the process and some flaws only become known after the application goes live. Assessing software for security vulnerabilities just prior to production or release is far too late, and the reason for this can often be traced back to time constraints imposed at the executive level for development and implementation.
These teams need to work closely with security practitioners and make a case to the management team for building ample security review time throughout the entire development lifecycle. Moving to a continuous integration process can greatly assist with this, as can the use of both source scanning and dynamic scanning during the development and implementation phase. Developers can help demonstrate to the management teams that a slightly longer initial development phase is greatly preferable to repeating the whole process several times when vulnerabilities are discovered at release. However, they can only act on this if they can work with the security practitioners to effectively communicate their needs up the chain.
Security practitioners need to demonstrate the need for better app security
Security practitioners need to influence without authority. While they are the gatekeepers of security, they often have little or no authority over the security quality of web applications under development. As such, security practitioners need to position themselves an integral part of the process that takes these applications from code through to production. They need to be seen as an enabler, not a bottleneck.
By using their knowledge of application security analytics throughout the development lifecycle, they can become key development partners to the teams tasked with producing secure, quality code. Security practitioners must also take the time to keep the management team well informed throughout the process, thereby minimising undue pressure from above, whilst ensuring any pre-agreed timetables are adhered to.
The CISO needs to build a business case for implementing the tools that can provide the evidence they need to really engage developers and executives in secure coding practices. Every security team knows that it’s rare for an application security program to be 100% effective. So, rather than thinking that their program is bullet proof, security practitioners should instead look for industry remediation rates to use as a baseline for their own security posture, and look to improve from there.
Management should balance speed with security
Regardless of industry, management teams must face the fact that a large number of their business applications are at risk, most of the time. For example, our researchers found that over 50% of retail websites are always vulnerable, with each site having, on average, 23 unique vulnerabilities. Executives believe that application security flaws can be expensive to find and address and often consider that the cost outweighs the risks. This is folly. Most vulnerabilities have the potential to expose the business to loss of data, revenue, reputation, and potentially customers, if not addressed.
Management is in the best position to help change the way that the security and development teams approach software. Whether developed in-house, purchased, or outsourced, almost all software introduced into a business is done with speed and time-to-market in mind. But even the most efficient IT teams need time to integrate new software properly, otherwise they risk introducing new security flaws at the same rate at which they are rectifying old ones.
Executives need to get to grips with the security of their entire application landscape. One of the best ways to do this is to use analytics to identify and prioritise the most business critical applications that need to be secured. They must then empower their security practitioners to have the right tools in place to find vulnerabilities in a timely manner and ensure development teams are held accountable for application security before they are allowed to disengage from the project.
Making the case for secure app development
Effective app security requires a concerted team effort between the development and security functions, which isn’t always easy. But understanding the differing challenges and drivers across the business can really go a long way in helping build a joint case for app security that the management team will struggle to ignore. Achieving the right balance by effective communication between all parties is the key to success.
Edited for web by Jordan Platt.