Here are some insights from AVP, Cybersecurity Todd Waskelis as we discussed cybersecurity and application security in focus.
How has COVID changed the game for application security? Shift Left, Shift Right, and Shift everywhere?
2020 had several significant events around application security, including the move of applications to the cloud, the expansion of remote workers using cloud accessed applications, and an increase in the number of vulnerabilities reported in code. I think if we look at the basic lifecycle of Design, Develop, Test, and Deployment/Maintenance, we tend to focus today on the latter two stages – Test and Maintenance. Traditionally we address those with one-time preproduction testing, which, when issues are discovered, push the cycle backward to development. But once deployed, those identified vulnerabilities become more difficult to address and require either investment in additional infrastructure to ensure controls or, more commonly, prolonged exposure of that vulnerability due to limited resources (time, money, people) to address the issue.
Shifting left leads with the idea of ensuring security is at the table during the design discussions not only from a technology perspective but also from a regulatory/legislative view. Knowing what controls will need to be cared for, commensurate with the data being processed, stored, and transacted. It also drives awareness to the developers early that security is a critical component and highlights their responsibilities in that commitment.
o Secondly, and just as critical, is integrating frequent and (when possible) automated security testing into the development stage. This reduces the number of vulnerabilities when we move to test, thereby increasing deployment speed and reducing the time to market.
o A large portion of the vulnerabilities we see are specific to a custom code or to highly intricate custom configurations. In this way, almost every vulnerability detected in an application can be considered a zero-day vulnerability.
o With these recent types of trends, we expect an increased focus on application security during development, that shift left will become more important in the coming year.
o One example is cross-site scripting. It is a purely technical class of vulnerabilities that stems from improper coding of web pages, and plays a major part in large cybercrime campaigns, such as the Mage cart web skimming campaign. Other vulnerability types do not stem from a technical problem, but, rather, from a failure to recognize and enforce business logic which is where we need to rely on the involvement in the design phase.
How is the importance of secure code in application security tie into digital trust, risk, and resilience?
o Secure code is more critical today than ever before and that is driven by a number of things, remote workforce, cloud native applications, explosion of mobile devices, emerging technologies like 5G and really the fact that everything is becoming a connected endpoint.
o This focus on application security is nothing new, however the threats have grown, the risks have greatly changed the attack surface is much larger now, it's not within the four walls of your enterprise.
o The customer experience is moving more and more to purely digital out of convenience, and eventually, that will shift to be the consumer's expectation. If you fail just once and that Digital Trust between you and your client breaks down, you risk significant loss of business and brand loyalty, and market share.
o To put this into perspective, let's simplify with a banking example. Someone walks into a branch office of Bank of Todd and robs the tellers. There is likely minimal impact on a bank customer unless they might have been there at the time. Bank of Todd is probably not going to lose a large customer base because of that one event. But what if that robbery happens over the Bank of Todd application? Now not only is a considerable portion of individuals impacted, but that Digital Trust, which EVERY SINGLE CUSTOMER expects, is impacted. Unless you write a ton of checks, switching banks nowadays is not complex, nor is there a shortage of options.
o Recovering from a break in digital trust can be very difficult, if not impossible, so your focus on application security must be at the top of your list.
How should we view application security amongst all the security priorities in 2021?
Opportunities applications present to a business have never been more significant. Companies can reach and engage customers in ways that were not possible just a few years ago. They can streamline processes and facilitate innovation and collaboration between teams and individuals as never before. Yet, at the same time, this explosion in and concentration on applications creates dramatically greater risk. Application-attack volumes remain at unprecedented levels, while cyberattacks become increasingly more sophisticated. The business demands that the CISO/CSO enable digital transformation while mitigating these initiatives' security risks. For new CISOs/CSOs, they must account for application security and ensure it is embedded in their 30-, 60-, and 100-day plans. While application security may have been an afterthought in the past, it can no longer be a marginalized checklist item. Rather, the prioritization of digital transformation demands that it be prioritized from the outset and remains a critical business measurement.