Application Security , Governance & Risk Management , Next-Generation Technologies & Secure Development
Application Security: Four Key Steps
Experts Offer Insights on Breach Prevention MeasuresLast year, a number of application vulnerabilities led to compromises of many organizations' systems.
See Also: Mobile Apps are the New Endpoint
For example, the Heartbleed bug - a flaw in OpenSSL, a cryptographic tool that provides communications security and privacy over the Internet for many applications, including e-mail, instant messaging and some virtual private networks - led to the compromise of 1.5 million user accounts on Mumsnet, a U.K. website for parents. Some security experts also suspect Heartbleed played a role in a hack attack against Community Health Systems that compromised information on 4.5 million patients.
Also last year, a breach of the photo messaging app Snapchat compromised sensitive details on 4.6 million of its users. And a December breach disclosed by the Department of Veterans Affairs that exposed information on several thousand veterans was tied to a security flaw in a database application managed by a vendor.
These breaches, and others like them, illustrate that too many organizations are still neglecting application security as a part of their breach prevention strategy.
A Common Target
"Applications are one of the most common targets for attackers because of the large surface area they present on the network," says Josh Shaul, vice president of product management at information security vendor Trustwave. "Think of your applications as the things attackers are most likely to attack and build your breach prevention strategy from there."
Yet application security has typically taken a back seat at most organizations. "Traditionally, organizations have had limited security resources, which has led to a heavy reliance on vendors or testing and validation tools," says Brian Evans, senior managing consultant at IBM Security Services. "These efforts do not adequately address today's threats that are targeting applications. With breach headlines and regulatory enforcement actions, it is imperative to include application security within an overall information security program."
Another challenge facing application developers is the business demand for speed-to-market for their products, says management consultant and information assurance trainer William Hugh Murray, who worked at IBM for more than 25 years. "[This] has produced a culture in which developers believe that they are measured on schedule rather than quality," he says.
Experts offer four tips for including application security as part of a breach prevention strategy:
1. Review OWASP List
Organizations should begin addressing application security risks by analyzing their systems for the most commonly exploited vulnerabilities using the Open Web Application Security Project's 10 most critical Web application security risks list.
"The OWASP Top 10 is a well-regarded list that can be used to establish a good foundation of security around any applications," says Ben Desjardins, director of security solutions for application security firm Radware.
Among the top vulnerabilities included on the list are injection flaws, broken authentication and session management functions and cross-site scripting.
But organizations can't just rely on measuring their protection against the OWASP list, Desjardins says. "The methods used by hackers constantly evolve, so organizations need to ensure that their methods for mitigating threats keep pace."
2. Train Developers on Secure Coding
After understanding what the top vulnerabilities are, developers should be trained and educated to address application security gaps early on.
"Typically, application developers do not have extensive knowledge in networking or security because they are not taught these subjects in college or on the job," says IBM's Evans. "Instead they generally interact with networking or security technologies through the use of application programming interfaces and libraries."
As a result, developers should be trained on the proper use of the common APIs and libraries, as well as how to avoid coding vulnerabilities into applications, Evans says. "Once trained and educated, developers more often than not embrace this knowledge and incorporate these secure practices into everything they code."
As developers focus on secure coding, it's important for them to measure the quality of the product, rather than worrying about the speed of getting it to market, says Murray, the consultant. "Programmers believe that they miss the schedule because they do not work fast enough. In fact, they miss the schedule because, when they put it all together, it does not work."
To ensure the quality of the application, developers need to define the security requirements in the same language as other requirements for the application up front before the coding begins, Murray says. "Make certain that the application owner understand and accepts all the residual security risk at the time of first use."
3. Test Apps for Quality Control
Once applications are developed and implemented, ongoing security testing too often is neglected, Trustwave's Shaul says.
"Security testing, when done properly, will identify nearly any vulnerability an attacker could exploit, and thereby provides a roadmap of security improvements for an organization to make," he says. "Skipping the security testing step entirely, not testing often enough, or even testing without enough rigor and expertise all put organizations at significant risk of compromise."
Application testing can include a combination of automated scanning and manual penetration testing to identify any security gaps, Shaul says. This is another opportunity to review apps alongside the vulnerabilities outlined in the OWASP Top 10, he explains. "We commonly see [such vulnerabilities as] cross-site scripting, SQL injection, authentication and authorization bypass in our testing, with cross-site scripting being the most common and authentication bypass being the most severe."
Quality control and assurance testing should be applied to all custom-coded applications that interact with the Internet and all critical custom applications that are internal to the organization, says IBM's Evans. "This process subjects the code to analysis and review for well-known vulnerabilities, unused code and malicious code," he says.
4. Tackle Mobile App Threats
The growing use of mobile devices, including tablets and smart phones, which often contain more applications than a desktop PC, means mobile app security must be a new risk management priority, says Domingo Guerra, president and co-founder of application risk management firm Appthority.
"The number of apps per device has grown exponentially compared to laptops and desktops," he says. "Instead of 10 applications per device, we see between 50 and 200 apps on each employee smart phone. These factors, as well as the growing number of risky behaviors found in popular apps, means that application security is now more important than ever."
A study conducted by Appthority found that more than 90 percent of the most popular iOS and Android apps demonstrated at least one risky behavior with respect to corporate data exfiltration, authentication and password management, as well as corporate privacy. "When these apps are on a phone that is being used for work purposes, the threat of corporate data being compromised is high," Guerra says.
Managing that risk comes down to using automation to streamline discovering new apps on employee devices, approving or denying their use and enforcing an organization's mobile policies. To mitigate mobile application risks, organizations should have a mobile security program as part of their breach prevention strategy, Guerra says. That program should include these steps:
- Determine which app behaviors or parameters should not be allowed in the enterprise;
- Educate users on the mobile policy;
- Use a third-party service that automates the review and approval/rejection of apps based on the acceptable use policy;
- Automatically approve apps that don't exhibit the blacklisted behaviors for use in the enterprise; and
- Automatically remediate devices that have apps that are out of compliance.