Latest research reports (e.g. Verizon DBIR) show that more and more attacks are directed towards applications and this trend is increasing due to multiple reasons, including the following:
- Most attacks on information technology systems are financially motivated. Applications provide direct access to data, which is valuable to attackers.
- Firewalls don’t block access to applications, which means attackers don’t need to worry about network security controls.
- Most of the organization are doing better job on network and operating system security but application security is still lagging behind.
Fixing application security defects in production is more difficult, takes more time, and is quite costly. As a CISO or as a person in the position of ensuring security of the applications, you are better off making application vulnerability testing as part of the Software Development Life Cycle (SDLC) or as part of project delivery process.
There are a number of SaaS tools for application security testing and you don’t need to spend a fortune on these tools. Open source tools are also available for application testing.
Action Items
Some of the following actions cost very little and go a long way in implementing application security.
- Create corporate standards for application development that should be based upon established research like the:
- OWASP top ten web application security risks – https://www.owasp.org/index.php/Top_10
- Safecode – http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdf
- Verizon data breach investigation report – http://www.verizonbusiness.com/Products/security/dbir/
- Make ongoing training for software developers as part of security awareness program.
- Application testing has to be part of SDLC to ensure high-risk security vulnerabilities are fixed before moving code to production.
- Implement a tight control over unauthorized application changes. This control must go beyond regular change control process and must able to detect changes to application software (e.g. file integrity monitoring).
- Proper implementation of a Web Application Firewall (WAF) provides good return on security investment. Make this part of your application security strategy.
The post CISO Strategy – Include Application Security Testing in SDLC appeared first on CISO Leadership, Strategy, and Research.
