Maksim Kabakou - Fotolia
The root of the weakness is that app developers are often poorly educated in cyber security and are competing in an application “arms race” that prioritises speed to market over application security. In such an environment, security is falsely viewed as a handbrake on innovation, rather than an essential foundation for it.
Even if an organisation has excellent internal security, incorporating apps from third parties can mean unwittingly opening the door to a whole new layer of vulnerabilities.
Here are three of the ways organisations can safeguard against application layer vulnerabilities and reduce the risk of a security breach.
- Build layer security into your procurement process
It is important to remember that not only can outside applications introduce new functionalities and efficiencies to your organisation, but can also introduce new vulnerabilities. Free or open source code can be particularly vulnerable. One security expert likened open-source code to picking up a hot dog lying around on the floor. Although it is free, it may well be unsafe for consumption.
One organisation that I worked with planned on using a job board application to cut the cost of online recruitment. However, I checked and found it was replete with vulnerabilities, including the fact that it did not even have single sign-on.
Read more Security Think Tank articles about about application layer security
- Focus on security before app deployment.
- Counter application layer attacks with automation.
- Defend application layer with good security hygiene.
- Application layer attack mitigation needs to start with risk analysis.
- A three-pronged approach to application security.
- Deploy multiple defence layers to protect data-rich applications.
The only way organisations can protect themselves from importing vulnerabilities through third-party apps is to do due diligence on any apps being introduced to the company. All apps should be subject to thorough screening before being purchased or used.
If every organisation did this, it would ensure that secure apps outsold poor apps, creating an incentive for app developers to prioritise security above production speed.
Unless customers use their purchasing power to demand better applications, then poorly made apps will drive securely made apps out of the market because they are easier to make, just as bad money drives out good money when we make no distinction between the two.
- Incorporate testing into every stage of the process
We must end the “build first, patch later” culture and build security testing into every stage of the app development production line. App developers should not leave security testing until the quality assurance (QA) phase, just as automotive manufacturers would not leave airbag tests until the car was about to enter mass production.
Organisations should include four phases of testing: a security verification or risk assessment before proof of concept or purchase, which could include a code review or manufacturer review; repeated penetration testing and code-scanning using tools throughout the development lifecycle; pre-production software quality assurance (SQA) testing for compatibility with security standards; and a fourth and final phase of testing during production.
- Give developers the training, tools and time
When developing software in-house, the key is to give software developers the training, tools and time to develop them securely. This means ensuring all software developers are trained in cyber security so that security becomes a foundation and a framework for innovation, rather than being a last-minute bottleneck on development.
It is also vital to give software developers the tools to perform security testing at greater speed and lower cost. There are many sandbox tools that autonomously test code outside the production environment or QA tools that automatically test apps for compliance against specified standards, and these are often available through a software-as-a-service model.
All of this ultimately requires organisations to give developers enough time to make software secure. This means prioritising best practice over the race to market and treating security as a platform for greater productivity, not a barrier.