26 April 2017

An Introduction to Application Security

Written by Anne Gauthier | 26 April 2017

A Bank VaultTo remain in business, companies rely on perimeter security to protect, among other, their “secret sauce” recipe and the confidential information of their customers. To this end, information security vendors offer different types of defenses. The intent is commendable and the organization then feels confident, warm and cozy behind its firewall. However, there is something fishy. Businesses put up a variety of web applications on the Internet (thus accessible by everyone – including malicious actors) to offer different services. These applications can take many shapes, from transactional Web sites, to mobile applications or Web services. With them, the appropriate security question becomes: beyond securing the infrastructure, how can one defend these applications against hackers? The answer is: the proper design of the application’s source code. There you have it: application security.

Why Application Security?

An application can be developed in-house or by a contractor and can include existing libraries and code snippets available on the Internet. Consider your own application: it most-likely includes a text field, where your customer can input data, which triggers a query to a database and returns a result. What happens if the developer does not perform adequate validation and processes the user-submitted data following secure coding best practices? An attacker could discover the vulnerability, exploit it and steal your “secret sauce” recipe and/or your customers’ confidential information… Boom! You end up on the front page of the newspaper, lose your customers’ trust and, of course, suffer the consequential financial loss.

The moral of the story: always take for granted that your applications are the target of cyberattacks every day. Hence, the necessity for application security.

How to Secure Your Source Code?

There are concrete measures that can be taken to secure an application’s source code. First, management must accept the importance and the associated costs of this layer of defense. For this to happen, you must speak their language (i.e. money) and expose the risks the organization would face if there was a breach. They must also realize that it is much costlier to patch a security vulnerability in an existing application, after it has been put online, than it is during the development phase.

Second, you need to define an application security strategy. Ideally, begin by an assessment of your applications’ health level. Specialized cybersecurity firms are excellent resources to quickly provide a detailed report on the current security posture of your application. Moreover, the results of penetration tests, secure code reviews and existing software development lifecycle (SDLC) analysis are key factors to consider to properly prioritize the security reinforcement efforts. Depending on the application security level of maturity, the implementation of the enhancement strategy may take between 1 to 3 years. The end objective is to include security activities at every stage of the SDLC, from the design of applications to their maintenance once they are exposed on the Internet. Usually, training developers on secure coding best practices is the first step of this journey.

In conclusion, reorganizing a business’ software development lifecycle is a project of its own. Every component must be prioritized, the implementation must be planned and organized and, most importantly, proceed step by step. The key to success is to discover and remediate security vulnerabilities before hackers do.

This blog post has been originally posted in the Trait de Génie online magazine.