Our Continuously Connected Lives: What’s Your ‘App’-titude?

Changing Your Attitude about Application Security

Stephen Nardone

With the continued evolution of IoT devices and the rapid pace of software innovation, everyone needs to change their ‘app’-titude around security. As business leaders, you are not only modeling best security practices for end users, but you also need to demand that developers change their attitudes about application security.

The majority of security attacks happen at the application level, and more often than not attackers are successful only because users have not updated their software with current patches. The proliferation of web-based applications is another critical factor. According to the 2016 Verizon Data Breach Investigations Report, web application attacks are now the most frequent pattern in confirmed breaches.

When developers release code before testing or resolving security issues for bugs, that’s a huge indication of either a flaw in training or a lack of testing through the stages of development. In fact, 30% of companies do not scan for vulnerabilities during code development. Making security an inherent part of each stage of the development cycle means that application developers perform security checks to ensure that the application is resistant to malicious attacks.

Most post market vulnerabilities are flaws in code that could have been avoided if security strategies were implemented at each stage of development. Developers shouldn’t assume that when they are using open source code that it is free of any vulnerabilities. Rather, you should understand the risks and know the basic techniques of risk management.

Case in point: Take the commonly used elements contained in a set of software components called the Apache Commons Configuration – a widely used collection of Java scripts. A single vulnerability in the library exploited by hackers in 2015 resulted in 80,023 applications containing that vulnerability.

Though acceptance, avoidance, and transfer are useful techniques in risk management, the most important is mitigation. True, many attacks could have been mitigated if patches had been kept up to date, but developers need to ensure the integrity of their product by adhering to industry standards and regulatory requirements. Input validation is one counter measure used to mitigate the threats posed by user interfaces and web forms. This validation technique ensures that only authentic data in proper format enters into the application.

Connection’s Security Information services can help you learn more about additional countermeasures to mitigate risks and ensure that you are using the best practices to test security through the application life cycle. Through Security Innovation, a Connection partner and recognized leader in the Security Training market, we offer a suite of on-demand, interactive, scenario-based training modules such as the Information Security & Privacy Awareness (ISPA) training, delivered via your LMS or on-demand through the SI learning portal. These training modules reinforce security awareness and drive behavioral change needed to protect your organization.