As we can read in various research papers, exploitable vulnerabilities in applications remain a top cause of external breaches. Due to the pandemic, applications often became the only way to engage with customers, which has exacerbated the problem.
To increase the security posture of your application portfolio you should have a robust Application Security (AppSec) program in place. Making sure everybody in your organization knows what needs to be done, the basis of your AppSec Program should be an easy-to-understand and accessible AppSec Policy.
In this blog post, I will speak about the minimum that needs to be in an AppSec policy. But before going into that, you have to understand your AppSec policy needs to be updated on a regular basis, based on the trends in the software development industry:
- There is an increase in the number of applications and releases.
- This increase is fueled by the increased usage of open source and commercial code.
- To increase the agility and flexibility of the different applications, and to leverage their functionality, there is an increase in the use of APIs.
- To reach more customers and make it easier to do business with you, there is an increase in the number of application types (web, mobile, social media, and cloud).
- To be able to deal with the elasticity in demand for your applications, while reducing the TCO, there is an increase in the utilization of containers (The lack of secure container configurations provides another attack vector for your applications).
As we all know, fixing AppSec issues early on in the software development lifecycle (SDLC) is more cost-effective in comparison to fixing them in test (10x) or production (30x). As a result, the responsibility for AppSec is moving from a separate AppSec team to the development teams. This shift has an additional impact on your AppSec policy:
- Place the responsibility for AppSec in the hands of the developers. Also known as shift left or developer-driven AppSec.
- To minimize the impact on the developers’ day-to-day activity, build AppSec into their DevOps pipeline.
- To reduce time to prioritize vulnerabilities to remediate, aggregate scan results from different technologies.
- To increase the AppSec during deployment, build securing container configurations into the DevOps pipeline.
- To bridge the gap between development and security, create/improve a program to build developer security champions.
- AppSec should be enabler and not an inhibitor by slowing down or even prevent releases.
Based on the aforementioned trends and observations, at a minimum, the following has to be updated/added in your AppSec policy:
1. Access Control
i. Use tokens: Establish trusted identities and then control access to services and resources by using tokens assigned to those identities.
ii. Use encryption and signatures: Encrypt your data using a method like TLS (see above). Require signatures to ensure that the right users are decrypting and modifying your data, and no one else.
iii. Use quotas and throttling: Place quotas on how often your API can be called and track its use over history. More calls on an API may indicate that it is being abused. It could also be a programming mistake such as calling the API in an endless loop. Make rules for throttling to protect your APIs from spikes and Denial-of-Service attacks.
iv. Use an API gateway: API gateways act as the major point of enforcement for API traffic. A good gateway will allow you to authenticate traffic as well as control and analyze how your APIs are used.
2. Vulnerability Identification:
i. The development teams are responsible for the identification, prioritization, and remediation of vulnerabilities in their developed source code and utilized open source and commercial code.
b. Static Application Security Testing (SAST):
i. Changes in- or the addition of- all open source, commercial code, and APIs will undergo SAST and will have no critical or high vulnerabilities before released into the TEST environment.
ii. All SAST will be seamlessly integrated into the existing CI/CD pipeline, without the need for the development to install new products/tools into their existing tool set.
c. Integrated Application Security Testing (IAST):
i. Changes in- or the addition of- all open source, commercial code, and APIs will undergo IAST and will have no critical or high vulnerabilities before released into the User Acceptance Test (UAT) environment.
ii. All IAST will be seamlessly integrated into the existing CI/CD pipeline, without the need for the development to install new products/tools into their existing tool set.
d. Mobile Application Security Testing (MAST):
i. All mobile applications will undergo MAST and will have no critical or high vulnerabilities before released into the User Acceptance Test (UAT) environment.
ii. All MAST will be seamlessly integrated into the existing CI/CD pipeline, without the need for the development to install new products/tools into their existing tool set.
3. Configuration Management:
i. Every AWS instance on which (part of) any application runs will be configured securely, using the latest version of securing AWS configuration guideline as part of the existing CI/CD pipeline.
i. Every Docker instance on which (part of) any application runs will be configured securely, using the latest version of securing Docker configuration guideline as part of the existing CI/CD pipeline.
4. Training and Education:
a. Every development team will have at least one (1) certified Security Champion program within three months after identification. The Global Internal Education team is responsible for the training and certification of this person.
The importance of AppSec is becoming more apparent as time goes on with leaders of industries experiencing the cost of having a product with vulnerabilities. Taking these steps towards your AppSec Policies will set a strong foundation that will allow your developers to work more effectively while also upholding a higher standard of quality for your application.
Don’t forget to join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum. Keep up with the latest Tips & Info about Application Security. We’d love to hear your thoughts on this blog. Log in or register to comment below.