We have seen how the cybersecurity landscape has sifted significantly in the last few years. According to the 2017 Verizon Data Breach Incident Report, web application attacks were the fourth most significant incident category and the #1 most frequent source of breaches. As enterprise security professionals, tools, and counter-measures continue to improve the security of the infrastructure, cybercriminals have move on to areas where vulnerabilities are easier to find and exploit.

This highlights the conventional wisdom of defense - securing endpoints, your network, and implementing sophisticated malware and virus management, though still extremely important, lack the ability to address the new reality – the application layer that is now the target.

Forrester, in the description of their report The State Of Application Security, 2018, states “In 2017, applications rolled out the welcome mat to malicious hackers, topping the list of successful external attack targets. Why? Developers continue transitioning from perfect to fast to provide unique customer experiences, and there aren't enough security pros to maintain manual application security review processes.”

Here’s some quick wins that application security can provide to put you on the offensive in cybersecurity.

Reduce Risk at the “Source”

Studies show that application errors are 10 times more expensive (read difficult) to find and fix once the application has been released. The inverse, therefore, is where the benchmark should be set. Security tools, several of which nicely integrate directly into the development environment, provide immediate feedback on potential vulnerabilities. Developers can then immediately eliminate the identified vulnerability so it doesn’t even make it into unit test.

Security Training for Non-Security Development Staff

Overall, people, and their predicable behavior, are still the #1 source for active breach incidents. So along with the user training your security staff has implemented for your users ongoing training should be established for your development team. Making sure they understand key vulnerabilities like the top-listed injection vulnerability identified in the OWASP 2017 Top 10 report, cross-scripting attacks, components with known issues, and other possible attack vectors will assist in significantly reducing risk.

Inventory and Schedule Assessments

One leading application security vendor has found that as many as 70% of applications fail the OWASP vulnerability scan, while another indicates that many mid- to large enterprises may have many web pages, websites, and web applications no longer actively managed or even inventoried. Assigning responsibility for a comprehensive inventory of active web pages, web applications, and as well as externalized application interfaces that are web-accessible should be a high priority. Then schedule a check-up – determine on a priority basis which applications pose the most significant risk and assess them first, but be sure to assess all your web applications as soon as possible. George Washington wrote in 1799: "…make them believe, that offensive operations, often times, is the surest, if not the only (in some cases) means of defense". Good application security planning will allow you to take the offense.

Add new comment