Why achieving web application security might be a lot like juggling elephants

In today’s fast-paced business climate, where the pressure is on to deliver new web-based services and features to customers, Chief Information Security Officers (CISOs) can often feel like they’re juggling elephants.   

In one hand they have the weighty responsibility of getting new applications into production as quickly as possible. In the other, they’re holding the equally weighty task of ensuring those applications are secure and able to withstand a growing array of cyber-attacks.

The challenges are highlighted in recent research that shows organisations are facing an increasing number of threats being launched via web applications. According to Verizon’s 2018 Data Breach Investigations Report, more than 20 per cent of breaches continue to occur as a result of vulnerabilities within web applications.  The report says the parties behind such breaches are most often financially motivated external attackers.

These security issues are particular acute for organisations in the retail, transport and logistics, and critical infrastructure sectors. Many have back-end systems in place that have been operating for more than a decade. When internal pressure mounts to link these systems to web applications, the result can be the appearance of significant security vulnerabilities.

The situation is also exacerbated by the fact that many software development teams have not historically had security methodologies built into their code development workflows. Team members might be very good at creating fully featured web applications, but not so great when it comes to ensuring those applications are able to withstand malicious attacks.

Adopting continuous application security

To overcome this challenge, CISOs need to ensure that security becomes a core part of every new web application’s development lifecycle. Rather than being seen as the ‘icing on a cake’ when it comes to development, security should considered right from the outset.

CISOs and their teams need to adopt a strategy dubbed ‘continuous application security’. This recognises that effective security is not a one-off task, but requires consistent and ongoing attention.  The key elements within this strategy are:

• Application testing: The traditional approach of checking the performance and security of applications at the end of a project is no longer sufficient and security reviews of web applications should be conducted throughout the development of a new application. When developing a new application, security activities should begin at the design phase and be followed up with testing and security advice during the software development phase, and again just prior to going into production. This should be followed up by regular ongoing tests during the application’s lifecycle (at least annually, or after each major code change). A framework should be put in place to ensure this testing takes place as scheduled and external parties brought in to help with the process as required.
• Training and education: The subject of IT security should be incorporated into ongoing staff training to ensure programmers are skilled at developing secure code. As well as technical education, there also needs to be a focus on developing the necessary mindset among developers. This will help to ensure that they always have security top of mind during the code design and creation process.
• Defensive protection: If applications need to be launched before full security measures are in place, there needs to be an additional platform in place that can provide the required security until the code itself can be altered and made more secure. This platform should be sufficiently robust to provide the required level of security while at the same time not interfering with the application’s performance. This platform can also provide protection should ongoing testing uncover a vulnerability in applications that have been live for some time. Rather than those applications having to be taken off line and fixed, they can continue to operate while developers work to overcome the weaknesses that have been identified.
• Automate processes: To ensure applications remain as strong as possible, the security team should automate as many of the scanning and checking activities as possible. This will allow vulnerabilities to be identified as quickly as possible and necessary fixes applied.

The strategy of continuous application security will ensure that web applications remain secure at all times, from initial development and deployment to ongoing use in a production environment. The approach ensures CISOs can address business demands to get applications to market as quickly as possible without sacrificing IT security. Juggling elephants may not be that difficult after all.