The pace of application releases is quicker than ever, and it keeps accelerating. At the same time, the majority of breaches happen through vulnerabilities in applications.
Industry analysts have repeated for a long time that application layer vulnerabilities are the leading cause of breaches. In 2015, the U.S. Department of Homeland Security stated that 90 percent of security incidents result from defects in applications.
Despite this, over the years the focus in enterprise security has been in network and IT platform levels. Massive investments have been done into the infrastructure in order to fortify domains against threats from the Internet. But this old-fashioned focus fails to address the real weakness.
It's time to rethink our security efforts.
It is essential to find potential issues as early as possible: we must dig into the development phase, and test the security already then.
If you run a business buying applications, you must make sure the vendor excels in testing. One minor mistake in development may turn into a business-critical problem, resulting in lost data, lost reputation, and lost customers.
But how does the reality look like in application development?
In modern application development, speed is a critical factor, and it keeps accelerating. This is partly a consequence of agile development methods.
"I'm too much in a hurry to do security testing now, we need to get this released". This is what I have heard lately, and it makes me scared. People involved in application development simply move the application into production and delay or neglect security checks. Lack of time applies especially to rapid patches.
Developers are under constant pressure to deliver new releases – delays would hurt the business. But businesses and developers should reconsider. Squeezing out releases while skipping security testing may become a costly adventure.
Every release is a risk. One reason is the widespread practice among developers to reuse code, often borrowed from open source libraries.
If the code includes vulnerabilities, hackers will be able to make a broad impact with a small number of exploits. One such example are containers, the corner stone of modern web based applications. They are handy, but bring new security risks as my colleague Timo Ahomäki has pointed out, and he's also given valuable tips to secure them.
Recently, application security testing has become a major trend, confirmed by a sharp increase in spending. But actual application security testing is very demanding. Critical holes may be very hard to identify. Is it enough to check that the code does not include most common errors listed in the famous OWASP Top 10 reports?
The only way to survive is a holistic and systematic approach. You need an application security testing process for the whole lifecycle of each application. This ensures that testing takes place during development, not after each release.
Another must is automation. The sheer amount of code produced every day is overwhelming for any human to check manually. Manual penetration testing is not enough either.
However, even the best automation does not identify every vulnerability. Human experts are necessary to fill in the gaps, and they can act upon the results of automated scans. Manual testing must complement automation.
Most developers only have a basic understanding of security issues. This is why you need application security specialists. However, it is not easy to recruit these experts highly in demand. There is also another way – for example, Tieto offers the required expertise as a service, including both highly advanced automation and human experts.
Do you want to know more about application security testing? Download my practical guide.