What is Application Security?
A 2012 survey by the Forrester Group found that 50% of all companies suffered an application security breach in the prior 18 months. 18% estimated their cost of recovery at $500,000 or more. Damages from application breaches remain a significant cost to businesses today. Another recent industry survey in 2015 found security experts’ number one priority was securing web applications, but cloud and mobile applications had leapt into second and third place.
Application Security (AppSec) is the practice of protecting these particularly vulnerable types of software during development, in production, and after a compromise has happened. When done correctly Application Security is a full lifecycle practice.
The State of AppSec Today
In recent years compromises at Sony, Target, JPMorgan Chase, and the US Department of Veterans Affairs have all made headlines. Because of these, the general public is now quite aware of the importance of application security.
The latest industry trend in AppSec is increased collaboration between application developers and security teams. But challenges remain. Driven by deadlines developers may still see security as ‘someone else’s problem.’ Security staff meanwhile sometimes try to regulate just with administrative measures like compliance reviews rather than actual technical fixes.
Application Security Tips
1) Hope for the best, prepare for the worst
Assume it’s not a matter of if, but when your organizations will suffer a compromise. It’s unfortunately true that you either pay for AppSec up front or you pay to cleanup a compromise. Fully document your applications and infrastructure. Have a recovery plan. While there are costs to proper AppSec, smart organizations know to balk at the recovery costs not the up-front costs.
2) It’s Never Too Early to Begin AppSec
Don’t wait for your application’s release to test security. Make security testing part of your developers’ quality assurance (QA) process. After all, security is a quality customers care about.
3) Never Completely Trust Your Users
It would be nice to think that only customers are using your applications, but if you don’t authenticate your app’s users you really have no idea who is using them. That long series of bad requests could be purely accidental, somebody typo-ing your application’s web address, or it could be someone probing your defenses.
4) Actively Deny Bad Requests
You should know exactly what types of network access are allowed by your applications and what ones are not. Actively block those bad requests. You never want to be surprised by activity in what you assumed was a harmless area of your network.
5) Don’t Reveal More Than You Need To
In that same spirit make sure the accessible parts of your applications don’t reveal more than you want either. Have your developers strip unnecessary technical comments from your app code. Make sure the error messages customers see are as short as possible. Detailed error messages and comments can provide more information than you want about your infrastructure.