People often assume that application security, or AppSec, focuses solely on the security involved in an app or service’s development. Wrong. This is a vital part of it, but there are several other areas that are equally as important as the code used in development: design, operations, maintenance, testing and deployment. AppSec ultimately covers the security of an app from inception to deployment, use and maintenance; it’s a process spanning the application’s lifetime, and you must be there every step of the way.
Why AppSec is important
Most vulnerabilities are caused by software-related issues; take cross-site scripting (XSS), for example, a late-90s vulnerability still found in apps today. Most universities didn’t teach these issues in their computer science-related degrees back then – many still don’t. Graduates from such institutions now involved in the development, testing and maintenance of apps may therefore fail to prevent, address or detect XSS. And that spells danger.
Apps are also responsible for processing and storing the data required for daily business operations – data so valuable it’s now dubbed ‘the oil of technology’. This naturally means apps are lucrative targets for attackers, which is why we see constant reports of breaches occurring at organizations who failed to protect their apps. By implementing a solid AppSec program, your organization can break the mould and keep out of the security limelight.
Balancing productivity and security
One issue organizations face is increased delivery expectations. To be competitive they must roll out features ahead of their competitors – and software plays a big part in this. But maintaining the security of apps is crucial and cannot be sacrificed for speed’s sake. It’s clear that promoting security using outdated practices won’t allow businesses to scale or achieve their desired pace. Embedding security into an app, however, promotes safety throughout its lifecycle without hindering delivery speed. This plays into the “shift left” mantra, which we will introduce a little later.
Another factor many organizations have to deal with is efficiency. As competition is getting fiercer, profit margins are dwindling. This means companies need to be as efficient as possible in order to ensure profitability. By embedding security into an application’s lifecycle, they will identify issues sooner and thus reduce remedial costs. It also helps reduce the risks that such a vulnerability could introduce.
With regulations like the GDPR now in place, the financial implications of a breach are severe; just look at British Airways which was fined £20 million earlier this year. Clean up costs can also reach astronomical figures. The 2017 Equifax breach is estimated to have cost the company $1.4 billion for instance – and who knows whether that covers the business’s resources lost to handling the fallout of the incident.
Shift left
This is a term you might have heard before, but what does it mean? Well, if you look at the typical development lifecycle of an application, it follows this path:
1. planning and design
2. development and testing
3. deployment
4. support and maintenance
As the application traverses this timeline, any issues identified become more costly to fix. You therefore want to ensure that you identify any security issues as soon in the process as possible. Viewing the process in linear terms with planning and design on the left and support and maintenance on the right, you want to ensure that you identify issues on the left, hence the “shift left” terminology.
AppSec with Immersive Labs
Immersive Labs already has hundreds of gamified labs, but we want to empower your organization to increase, measure and demonstrate human capabilities in every facet of cybersecurity. That’s why we’ve hired a whole new team to develop world-class AppSec content for our platform. Want to see the human readiness platform in action? Book a demo using the button below.