While application security (appsec) is firmly on the radar, most organizations still have a way to go before they can be confident about how secure their apps are. Devops is accelerating the speed of development and, coupled with the shift to the cloud, it’s creating many challenges for appsec. Breaking down walls between security, development and business units is easier said than done and the security skills shortage persists.
A world of continuous development requires continuous testing, but that’s far from a reality for most organizations. In fact, 10% of respondents to the SANS 2017 State of Application Security report admit they aren’t doing any security testing at all, 24% are relying on testing once a year or less, and just 12% are testing on a continuous basis. This has to change.
While organizations can easily find foundational best practices, such as OWASP (Open Web Application Security Project) they are just a foundation. The potential attack surface for most companies is growing rapidly and security teams are struggling to keep up with the pace of change. A wave of new public-facing web applications and cloud services must be balanced with existing custom and legacy apps.
The SANS report found that 15% of organizations had experienced a breach in the past two years, and, alarmingly, 21% don’t know whether they experienced a breach where applications were the source. We know how costly data breaches can be, so it’s vital to address appsec properly to prevent it from becoming the weak link in your defences.
It’s clear that there’s a shortage of skilled cybersecurity professionals. As many as 45% of organizations claim to have a problematic shortage of cybersecurity skills, according to ESG research, and 49% of cybersecurity professionals are solicited to consider other cybersecurity jobs at least once per week.
This has led many organizations to shift the security testing burden onto development teams. In fact, the number of development teams tasked with security testing has increased from 22% in 2015, to 51% in 2017, according to the SANS report. Deeper analysis reveals that teams with the most rapid development procedures are finding fewer vulnerabilities. The worry is that this is because their testing is superficial, so as not to interfere with fast feedback cycles.
Without proper training and under pressure to deliver code quickly, there’s a real risk that developers are failing to test application security as thoroughly as they should. Temporary hires, such as virtual CISOs, should be considered as a way to plug the gap and train internal staff properly. But third-party testing by experts is still vital for proper appsec and should not be dispensed with lightly.
Without proper testing your security program is a wish list. If you want to fold security into the devops mix and achieve devsecops, then you must build cross-functional teams, apply security principles from day one of development, and foster a culture of genuine collaboration. Security cannot take a back seat because of deliverable deadlines or fear that modifying code will break the app.
It’s important to consider whether training overloaded development and engineering teams and making them more responsible for security is really the best route to take. Even if you do take that path, you still need to engage an external third-party with no vested interest in your app to verify your security measures are working as intended. There’s simply no substitute for the kind of expert, cutting edge penetration testing that a dedicated, external cybersecurity firm can provide.
While the pursuit of speed in development has thrown up some fresh challenges, there are also some welcome advantages with regards to remediation. The SANS report found that 41% of serious or critical vulnerabilities are now fixed within a week and 75% are fixed within a month. In 2016, only 66% were fixed within a month, so that’s a positive trend.
As siloes are pulled down, collaboration increases, and more security testing is automated, we should see tangible improvements in application security, but third-party testing will remain a vital piece of the puzzle for the foreseeable future.