With the increasing pressure for businesses to deploy applications across their networks at pace, developers are being forced to speed up launch times, potentially leaving their firms open to cyber-attacks, says Martin Walshaw, senior engineer at F5 Networks.
In a world where data security is paramount, application security is vital to avoid distributed denial of service (DDoS), the onslaught of malware and constant web attacks. However, with the increasing pressure for businesses to deploy applications across their networks at pace, developers are being forced to speed up launch times, potentially leaving their firms open to cyber-attacks.
There are two further reasons why applications contain vulnerable code. The first is that developers sometimes do not understand secure coding practices, and secondly, their work contains poor coding. Talent is the lifeblood of business. Therefore, hiring and retaining skilled and qualified application developers will significantly enhance an organisation’s security and will help to drive secure coding procedures and IT standards across the operation.
In a changing risk environment, more testing of applications is required to ensure that application security is mitigated. Many organisations do not test applications for threats and vulnerabilities, or testing is not pre-scheduled. Meanwhile, too few companies test applications every time the code changes.
Securing applications
Many companies are turning to application specialists to help them seamlessly scale cloud, data centre and software-defined networking deployments to successfully deliver secure applications to anyone, anywhere, at any time. With commercial pressures to quickly release applications and enable users to access software in their workplace, there are many instances where standards are being compromised. In today’s market, there is no room for error where data security is at risk.
There is currently little confidence in developers to follow secure design practices, such as threat modelling and architectural risk analysis. In addition, developers must follow secure testing practices, including manually analysing code for security issues, using static code analysis tools, analysing software security requirements, as well as creating security test plans and cases.
DevOps, or continuous integration, is believed to improve application security. Many organisations view this function as a more robust way to help improve practices into the application development lifecycle. Too few have evaluated and implemented tenant isolation methods or models for segregating application traffic and data.
As an interim option, virtual patching is a temporary policy that is sometimes used to mitigate exploitation risks associated with the discovery of new security vulnerabilities. It eliminates the potential threat of application or system security loopholes being identified and exploited by hackers. This approach allows developers and security administrators to keep applications and systems running until a vulnerability fix is identified, implemented and tested. Virtual patching, however, is not a long-term solution.
Maximising performance
The ability to reduce time-to-market of updates and follow industry standards is imperative to ensure companies can mitigate security issues and eradicate vulnerabilities from development to deployment. In reality, application security is vital in banking, finance, insurance and many other industries, including manufacturing; access and identity services are critical to maintaining a positive security posture while enabling users to access applications from anywhere and at any time.
It is widely known that there is a shortage of specialist skills with regards to application development. As industries begin to embrace new technologies, such as the cloud, the Internet of Things (IoT) and application development, nurturing new developer talent and ensuring they adhere to secure coding practice will improve procedures. This also includes penetration testing and slowing down the application delivery cycle within their organisation. The use of automated scanning tools to test applications for vulnerabilities and monitoring the runtime behaviour will also help to determine if tampering has occurred.
Running applications in a safe environment brings enormous benefits to businesses and enhances user experience. The practice of “rush to release” can cause applications to cease. So, as cybercrime continues to blight the virtual world, “application to verification” will be a better approach to protecting sensitive data, minimise downtime and maximise end-user performance.