Effective application security takes a team effort
Effective data security is a fundamental requirement for every business today. In the past, the responsibility for achieving it was often laid firmly at the door of the IT team, but today, data security requires close communication between many different internal teams.
The central tenet of any effective security program is the ability to communicate up and down the command chain quickly and effectively, but this isn’t always easy to achieve. With more and more business taking place online, vulnerabilities in web applications are becoming increasingly problematic.
The ability to identify and resolve issues fast can make the difference between keeping attackers out and potentially suffering significant data loss. Yet all too often, it is issues between parties within the command chain that slows down response times and prevents efficient security practices.
According to recent research, the average time it takes for critical website vulnerabilities to be found and remediated is 300 days, meaning the window for exploitation is significant. Closing these windows as fast as possible should be a top priority for every business, so how can the three key parties within the app security command chain (security professionals, senior leadership and DevOps) work together to speed up the security process and protect the organization more effectively?
The benefits of any application security program being fully realized without the direct involvement of the application development team is extremely low. Security professionals have the unique opportunity to evolve the application security program by balancing risk, organizational maturity and business goals. Security data and analytics should be a security professional's best tools to drive and eventually evidence overall improvement in an organizations application security posture.
Using industry remediation rates as a baseline for improvement is a good way to enhance an organization’s security posture, but it can be easier said than done. Few security professionals have the authority or power to directly influence the security of web applications under development in the DevOps team. As such, they need to skillfully position themselves as key development partners, using their knowledge of security analytics to add value to the process. Effectively doing so will allow them to ‘influence without authority.’
At the other end of the chain, it’s critical for security professionals to also keep the senior leadership team abreast of key events and developments taking place. Doing so will help to minimize any pressure from executives that feel out of the loop, while ensuring any pre-agreed timetables are met.
Senior leadership teams across all industries must accept the fact that the clear majority of their business applications are at some degree of risk. Despite this, many still weigh up security as a risk vs cost exercise. If the perceived cost of finding and addressing a vulnerability is too high, they will often choose not to. This can be spectacularly shortsighted, particularly when the cost of reputational damage and data loss is factored into the equation.
Members of the senior leadership are ideally placed to change the way an organization’s DevOps and security teams approach software. Whether outsourced, purchased or developed in-house, nearly every piece of software is typically introduced with functionality and time-to-market as the top priorities. But if teams aren’t given the time they need to integrate new software properly, chances are they will end up introducing new security flaws at the same rate as older ones are being rectified; not an ideal situation.
If executives want to truly understand and protect against the security threats faced, they must invest the time needed to get to grips with their entire application landscape. Analytics can be used to help identify and prioritize the most business critical applications. Next, they must ensure the organization’s security professionals have the tools they need to find vulnerabilities, while making sure development teams are held accountable for application security before they’re allowed to disengage from projects.
When it comes to application security, the DevOps team have the hardest job of all.
Actionable vulnerability data is rarely available during actual development cycles, meaning many security flaws only surface once an application has already gone live. Furthermore, due to time constraints imposed by senior leadership, DevOps teams are often confined to conducting security assessments at the last minute, just prior to release, which is far too late in the day to be effective.
DevOps teams need to work closely with security professionals and senior leadership to build security into the entire development lifecycle. Moving to a continuous integration process can help with this, as can the use of both dynamic scanning and source scanning throughout the development and implementation phases.
It’s also the role of DevOps to demonstrate to senior leadership that a slightly longer development phase is far more preferable to repeating the entire process multiple times due to vulnerabilities only being discovered after release. However, this is only possible if both DevOps and security professionals can communicate effectively up the chain of command, without fear.
Delivering effective app security in today’s business environment can be extremely challenging. In order to achieve it, teamwork and communication throughout the command chain are both critical, so that the different groups involved can understand the various challenges and drivers faced at each level. From the business continuity and time-to-market concerns at the senior leadership level, to development and implementation issues within the DevOps teams, striking the right balance between everyone is the key to truly effective app security.