In light of the recent, high-profile ransomware attacks on Colonial Pipeline, the National Basketball Association (NBA), and JBS Foods, the cybersecurity community, IT experts, and executive management from businesses of every size are taking application security more seriously than ever before. Ransomware changes the landscape of security from reactive to proactive—meaning that the focus of application security is changing from pre-deployment vulnerability testing to ensuring that developers and security teams perform security checks during every stage in the software development life cycle (SDLC). Extensive testing, extra planning, and code testing along the entire life cycle is expensive and time-consuming, however the money spent up front on these tasks will likely prevent compromises, breaches, and ransomware attacks that not only cost millions of dollars for data recovery, it also will preserve a company’s reputation.
In 2016, The Economist [magazine] Intelligence Unit conducted a survey of large businesses from 16 countries covering their greatest concerns about cybersecurity. The overwhelming majority (25 percent) of the respondents reported that their greatest asset that needs protection from cyberattacks is their reputation with customers.
In this article, I define what application security is, explore proactive application security testing, examine web application security and ransomware attacks, and cover the Open Web Application Security Project’s (OWASP) top ten web application security risks.
Application security defined
Application security refers to protecting internet-facing web applications from attacks that disrupt, exploit, inject malicious code, and otherwise damage the application and backend databases, data, the underlying operating system, and other web application components. Application security can be approached from different perspectives and in different locations along the continuous integration and continuous deployment (CI/CD) pipeline as shown below.
Plan->Code->Build->Test->Release->Deploy->Operate
Historically, developers and testers have performed security testing on the right side of the CI/CD pipeline with penetration testing and service organization controls (SOC) compliance audits. This type of testing and auditing still has value and purpose in an overall security compliance schema, but it has been found that shifting security testing to the left in the pipeline is more effective in providing comprehensive protection from coding flaws that cause vulnerabilities.
The new rule of thumb: Test often and test early
By testing early in the development process with scans that identify known code vulnerabilities from open source software (OSS) components, known as software composition analysis (SCA), the resulting code moves to the next phase in the CI/CD pipeline in a more secure state. Performing SCA in this phase also allows companies to resolve any OSS licensing problems that might arise later if such testing hadn’t occurred.
Additionally, performing static application security testing (SAST) early in the process alongside SCA is a very effective method of identifying code vulnerabilities. SAST scans identify code blocks that introduce leaks, injection, overflows, and other problems into an application that later become application vulnerabilities. By preventing insecure code early in the development process, the application moves forward toward production with fewer potential flaws that will show up in production.
Early development phase scanning (SCA and SAST) includes the following lists of known vulnerabilities.
- OWASP’s Top Ten Web Application Security Risks
- CWE Top 25 Most Dangerous Software Weaknesses
- Common Vulnerabilities and Exposures (CVEs)
One particular area of application security has received a lot of attention lately is that of protecting against ransomware. Ransomware is a specific type of malware that usually requires execution of malicious code that encrypts data and then demands a ransom to receive a decryption key. Application security can help prevent a multitude of entry points or vectors into an application and its backend infrastructure including ransomware infections.
The need for secure software development
Secure software development practices that include scanning and remediation of vulnerabilities must be done to decrease the occurrence of these types of threats. Security by obscurity doesn’t work nor does the thinking that, “Our business is small and we have no significant data to steal.” If you have an internet-facing application, it has been scanned and probed for vulnerabilities by cybercriminals. A multi-layered approach beginning with secure development is part of the solution to halting the success of attacks and the financially devastating results of ransomware.
Both pre and post-deployment testing are necessary to ensure not only that the application is more secure upon deployment but that new vulnerabilities are detected and remediated as they’re found. Developers and testers must remain vigilant in fixing code flaws before they’re found by cybercriminals and malicious actors. Early pre-deployment code scans and fixes are performed prior to any code compilation in the development process which makes remediation much less expensive. These scans, tests, and remedies must be applied as each new iteration or code release is put into production as well. Customers are often “upgrade averse” because updates can introduce new vulnerabilities into an application. Early detection and response might help to allay their upgrade fears and allow developers to end support for older product versions.
Reference Material:
Economist Magazine – Intelligence Unit: Protecting the brand—cyber-attacks and the reputation of the enterprise: https://eiuperspectives.economist.com/sites/default/files/images/EIU-VMware%20Protectingthebrand_PDF.pdf
Forrester Report: The State of Application Security 2021:
https://reprints2.forrester.com/#/assets/2/425/RES164041/report
