Six Golden Rules for Software and Application Security
Table of Contents
October is Cybersecurity Awareness Month, established back in 2004 by the Office of the U.S. President and the U.S. congress. Led by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), the initiative helps both individuals and enterprises make smarter, more informed security decisions. This can involve everything from tips to avoid falling victim to phishing and fraud, to discovering what strategies and tools you should implement to protect your organization’s code and applications from attack. To mark this important initiative, we’ve gone back to basics with a primer that helps simplify the complex subject of software and application security.
What is application security and why is it important?
Application security protects the code and the software that form the basis of the applications that organizations use, create, and provide to their customers. Source code either takes the form of open source software or custom code, and the rapid pace of application development has led to an escalation in possible code vulnerabilities and an increase in the potential attack surface for malicious actors. According to analysts Forrester in their State of Application Security 2022 report, applications remain the most common way for external cyberattackers to gain access to data and digital infrastructure, with software vulnerabilities as the top attack vector over the last year, and web applications at number three.
Furthermore, malicious actors have realized that an effective method of attack is via the software supply chain, where they can insert malicious code into a supplier’s applications, dependencies or tools, and then exploit the vulnerability. The Forrester report notes that the incidence of this form of attack increased nearly sevenfold between 2020 and 2021, and The European Union Agency for Cybersecurity (ENISA) predicts a further four times increase in supply chain attacks, with 50 percent focused on the supplier’s code in 2022.
How can you be sure that you’re implementing a robust and effective application security strategy? The answer is to follow the six golden rules of software and application security. Let’s take a look at them.
1. Systemically update
Software components and dependencies are continually being refreshed and updated to improve their performance, enable new features, or enhance security by patching updates that address vulnerabilities that have been identified. Always ensure that you are using the most up-to-date versions of every component and dependency so that any vulnerabilities that have previously been identified within them have been patched.
Open source software and its dependencies are particularly exposed to changes, both good and malicious. Between 70-90 percent of modern applications contain free and open source software, and open source software dependencies may introduce security flaws into the applications that depend on them, so it’s especially important to keep on top of these updates and ensure that you have the latest security patch to deal with them. Once a vulnerability is patched, a newer, less vulnerable version of the dependency is usually released. Therefore, regularly updating dependencies is an important habit.
2. Know your sources
Software and applications are composed of increasingly complex relationships between multiple components and dependencies, all of which must be safeguarded for your AppSec to be properly secure. You can’t protect components and dependencies, or detect and fix their vulnerabilities, if you don’t know where they are and what they are. So, start by doing an audit of the issues you’ve encountered. See if you can answer the following questions:
- Which are the most frequent issues and vulnerabilities you encounter?
- Which are the most severe—those that pose the biggest risk to your software, apps, products, and services?
- From where do they derive?
- Are they similar or varied?
- Are there particular sources that are more vulnerable than others?
- What do these vulnerabilities have in common?
Finding answers to these will help you understand the extent of your issues and the types of problems you’ll face. Use a tool with a thorough and transparent visibility capability. In particular, choose a tool that produces a comprehensive software bill of materials (SBOM) to identify all sources and detect vulnerabilities that could pose threats if exploited by bad actors. SBOMs are perhaps the most significant tool for auditing your software supply chain and knowing your sources.
Read More: When’s the Right Time for an Open Source Audit?
3. Strengthen compliance
Every dependency in an open source code base includes a license with its particular terms of use. Knowingly or unknowingly using dependencies in ways that contravene such terms and conditions is risky and could compromise your products or services.
There are hundreds of open source licenses, each with different terms and conditions, which makes it difficult to track each of them and ensure that your use fulfills their legal requirements. Nevertheless, to confidently ship products and services, you must be sure that your software, its dependencies, and your applications don’t breach these licenses and the terms and conditions of their deployment.
Compliance means that knowing the sources of your code becomes even more important, so look for a tool that offers a robust combination of SBOMs and updates. For everything you should know about working compliantly with open source components, consult our complete guide for open source licenses.
4. Prioritize
The escalating volume of components and dependencies used in code bases means that there’s a mind-boggling number of potential vulnerabilities to address, check, and remediate. Unfortunately, many tools make things worse by generating a large number of false positive results.
A false positive happens during software testing when a scanning tool incorrectly identifies a security vulnerability. Consequently, developers and DevOps can spend considerable time and effort on unnecessarily finding and fixing these cases. As a result, they’re often inclined to disregard security scanning, which could be detrimental to the security and compliance of what they produce.
The solution is to use a tool that can prioritize detection and remediation in line with custom specifications designed to meet your organization’s requirements. Priority scoring vulnerabilities enables your teams to target those that most urgently need attention and focus limited remediation resources to resolve the most critical issues first. Plus, with this capability in place, you can set a benchmark of false positives to use as a metric to measure the effectiveness of your tool.
5. Remain agile, shift left, and automate
Although software developers aren’t security experts, it makes sense to invest a certain amount of effort in studying vulnerabilities. By learning root causes and spotting patterns, developers can reduce repeat occurrences and stay up-to-date on best practices. To further improve the protection of applications and their core code, it’s becoming increasingly vital to implement security strategies that shift left by applying security functions earlier in the software development life cycle (SDLC). When developers and DevOps take this step, they expand their detection and remediation across the SDLC
The final piece of the puzzle is automation. Automation not only reduces the time that developers spend on security, but it also makes security processes faster and more thorough than any manual approach. Likewise, automation addresses the need for speed in detection, triage, and response.
And by deploying solutions that automatically detect and remediate vulnerabilities, companies can improve AppSec outcomes and make it simpler and easier to integrate application security into the SDLC. Given all of these benefits, it’s not surprising that 35 percent of organizations say they will invest in security automation in the coming year.
6. Train and collaborate
As I mentioned, software developers are not security experts, but as security shifts more and more into the SDLC, it’s important for them to learn about application security. One place to start is to understand the Open Web Application Security Project® (OWASP) Top Ten, which lists what are broadly considered to be the most critical security risks to web applications.
That, however, is just a starting point. The true experts are your application security team, and it’s important for them to deliver training that is tailored for a developer’s specific role. It’s also important to build a collaborative culture where developers know the value of asking security experts for a second opinion. That final review from a penetration tester or bug bounty program can save your company from a potential breach if a vulnerability is discovered.