Latest research reports (e.g. Verizon DBIR) show that more and more attacks are directed towards applications and this trend is increasing due of multiple reasons including the following:
- Most attacks on information technology systems are financially motivated. Applications provide direct access to data that is valuable to attackers.
- Firewalls allow direct access to applications, which means attackers don’t need to worry about network security controls.
- Most of the organization are doing better job on network and operating system security but applications are still lagging behind.
Fixing application security defects after an application goes to production is more difficult, takes more time, and is costly. As a CISO or as a person in the position of ensuring security of the applications, you are better off by making application vulnerability testing as part of the Software Development Life Cycle (SDLC) or project delivery process.
There are a number of SaaS tools for application security testing and you don’t need to spend a fortune on these tools. Open source tools are also available for application testing.
Action Items
Some of the following actions cost very little and go a long way in implementing application security.
- Create corporate standards for application development that should be based upon established research like the:
- OWASP top ten web application security risks – https://www.owasp.org/index.php/Top_10
- Safecode – http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdf
- Verizon data breach investigation report – http://www.verizonbusiness.com/Products/security/dbir/
- Make ongoing training for software developers as part of security awareness program.
- Application testing has to be part of SDLC to ensure high-risk security vulnerabilities are fixed.
- Implement a tight control over unauthorized application changes that goes beyond regular change control process and is able to detect changes to application software (e.g. file integrity monitoring).
- Proper implementation of a Web Application Firewall (WAF) provides good return on security investment. Make this part of your application security strategy.
The post Application Security and SDLC appeared first on CISO Leadership, Strategy, and Research.