In light of the recent, high-profile ransomware attacks on Colonial Pipeline, the National Basketball Association (NBA), and JBS Foods, the cybersecurity community, IT experts, and executive management from businesses of every size are taking application security more seriously than ever before. Ransomware changes the landscape of security from reactive to proactive—meaning the focus of application security shifts from pre-deployment vulnerability testing to ensuring developers and security teams perform security checks at every stage of the software development life cycle (SDLC). Extensive testing, extra planning, and code testing throughout the entire life cycle are expensive and time-consuming; however, the money spent up front on these tasks will likely prevent compromises, breaches, and ransomware attacks that not only cost millions of dollars in data recovery but also threaten a company’s reputation.
In 2016, The Economist [magazine] Intelligence Unit conducted a survey of large businesses from 16 countries covering their greatest concerns about cybersecurity. The overwhelming majority (25 percent) of respondents reported that their greatest asset requiring protection from cyberattacks is their reputation with customers.
In this article, we’ll define application security, explore proactive application security testing, examine web application security and ransomware attacks, and cover the Open Web Application Security Project’s (OWASP) top 10 web application security risks.
Application security refers to protecting internet-facing web applications from attacks that disrupt, exploit, inject malicious code, or otherwise damage the application, backend databases, data, the underlying operating system, and other web application components. Application security can be approached from different perspectives and at various points along the continuous integration and continuous deployment (CI/CD) pipeline, as shown below.
Plan->Code->Build->Test->Release->Deploy->Operate
Historically, developers and testers have performed security testing on the right side of the CI/CD pipeline with penetration testing and service organization controls (SOC) compliance audits. This type of testing and auditing still has value and purpose within an overall security compliance schema, but shifting security testing to the left in the pipeline is more effective at providing comprehensive protection against coding flaws that lead to vulnerabilities.
By testing early in the development process with scans that identify known code vulnerabilities from open source software (OSS) components, known as software composition analysis (SCA), the resulting code moves to the next phase in the CI/CD pipeline in a more secure state. Performing SCA in this phase also allows companies to resolve any OSS licensing issues that might arise later if such testing hadn’t been done.
Additionally, performing static application security testing (SAST) early in the process, alongside SCA, is an effective way to identify code vulnerabilities. SAST scans identify code blocks that introduce leaks, injections, overflows, and other problems into an application that later become application vulnerabilities. By preventing insecure code early in the development process, the application moves toward production with fewer potential flaws that would surface in production.
Early development phase scanning (SCA and SAST) includes the following lists of known vulnerabilities.
One particular area of application security that has received a lot of attention lately is ransomware protection. Ransomware is a specific type of malware that typically executes malicious code that encrypts data and demands a ransom to provide a decryption key. Application security can help prevent a multitude of entry points or vectors into an application and its backend infrastructure, including ransomware infections.
Secure software development practices, including vulnerability scanning and remediation, must be implemented to reduce the occurrence of these threats. Security by obscurity doesn’t work, nor does the thinking that “Our business is small and we have no significant data to steal.” If you have an internet-facing application, it has been scanned and probed for vulnerabilities by cybercriminals. A multi-layered approach, beginning with secure development, is part of the solution to halting the success of attacks and the financially devastating consequences of ransomware.
Both pre- and post-deployment testing are necessary to ensure not only that the application is more secure upon deployment but that new vulnerabilities are detected and remediated as they’re found. Developers and testers must remain vigilant in fixing code flaws before they’re found by cybercriminals and malicious actors. Early pre-deployment code scans and fixes are performed before any code compilation in the development process, making remediation much less expensive. These scans, tests, and remedies must be applied to each new iteration or code release as it is put into production. Customers are often “upgrade averse” because updates can introduce new vulnerabilities into an application. Early detection and response might help to allay their upgrade fears and allow developers to end support for older product versions.
Reference Material:
Economist Magazine – Intelligence Unit: Protecting the brand—cyber-attacks and the reputation of the enterprise: https://eiuperspectives.economist.com/sites/default/files/images/EIU-VMware%20Protectingthebrand_PDF.pdf
Forrester Report: The State of Application Security 2021:
https://reprints2.forrester.com/#/assets/2/425/RES164041/report
