5 Lessons from an Application Security Pro

Cyberattacks on the application layer are becoming more commonplace than attacks on servers, according to a survey of IT professionals by DLT partner, Veracode. The problem is that traditional security methods are largely ineffective against these application layer attacks. But despite this increase, it’s important to maintain perspective.

A holistic and systemic approach to security can minimize and mitigate this risk says Veracode’s Colin Domoney, a senior product innovation manager who spent five years managing a large application security program. Speaking from experience and sharing his insights in his eBook “5 Lessons from an Application Security Pro” Domoney offers the following insights from his own struggles with application layer security.

1. Traditional Security Methods are Ineffective

Firewalls, IDS, anti-malware, etc. don’t address risk at this layer. In fact, many risks fly below the radar. Domoney found that his security teams disregarded such things as application business logic design and architecture design decisions or failed to address poor secure software development best practices. “Instead, they’d been focused on ‘check-box compliance’ which failed to address many of the underlying issues,” said Domoney.

2. Open Source Poses a Risk

Domoney also found that cyberattackers are taking advantage of the increasing use of open-source components in software development and using these as an entry point. Apps have an average of 46 open source components which can potentially introduce risk. As such, open source libraries must be audited and managed so that any vulnerabilities that exist can be identified.

3. Security Processes Must be Integrated into the Development Process

With pressure to deploy applications quickly and with minimal risk many problems at the application layer are often a result of “…oversights and errors in the application logic design or…basic coding errors,” writes Domoney. Add to this the fact that development groups work in silos and aren’t trained in secure coding best practices, neither do they have security solutions that adapt to their work processes. This needs to be addressed, while keeping developers working quickly.

4. Organizations Must Develop Clear Standards for App Security

According to Veracode, 38% of developers don’t consistently follow secure encoding practices, while 42% reported that security standards and policies vary across the organization. “One of the issues we encountered more than once…was that a high-level security executive would issue an edict about cybersecurity, but the policy wasn’t applicable at the application level,” says Domoney.

“…we wound up focusing on both risk and governance. Having clear policies in place also allowed our IT staff to focus on more strategic issues and stay out of a constant firefighting mode. In the end, a well-designed framework will address approved platforms, languages and libraries, and should eliminate the vagaries that can sink an enterprise.”

5. Provide the Right Metrics and Demonstrate Risk Reduction to Leaders

It’s critical to attain buy-in and funding from C’ level executives to control the risk. KPIs, balanced scorecards and metrics, etc. can help demonstrate the ROI in any investment in an application security program. “Year after year, our program gained increased investment based on our ability to communicate successful program delivery.”

For insights and tips on how to establish an application security framework for your agency, check out Domoney’s recommendations.