Today’s applications need to protect from the inside, as well as the outside. What does that mean? Let me illustrate with a common situation we have probably all dealt with. Have you ever opened your refrigerator and discovered that package of leftovers in there that you had forgotten about? Maybe it was a Styrofoam box holding the remnants of a great meal from your favorite restaurant. Or perhaps you had enjoyed a wonderful home-cooked meal with your family but there was just too much food for that sitting, so you put the remains into plastic containers and stored them.
And then you promptly forgot about it.
Then a few weeks or even months go by. Or maybe you went grocery shopping and re-stocked your shelves, and you pushed that container even further back in the refrigerator. Finally the day came when you noticed it again, only this time there were a few key changes right? Changes like mold everywhere inside it, and a distinct new aroma. What do you do? You end up kicking yourself for forgetting about it, and then you throw out everything in the container, and maybe even the container itself.
Unfortunately, for a lot of organizations, this is exactly how they are treating their applications.
The 2019 State of Cybersecurity study from HCL found that while 60% of Information Security professionals expect a cyberattack to happen to them this year, only 34% of them are confident in their team to handle it. Why is that the case? The reasons are many. An ever-increasing threat landscape and an increase in the number of attack vectors surely come to mind right away. But another big reason is that they know most applications being deployed are vulnerable when released. Pressure to meet deadlines and release dates causes development tradeoffs that impact testing schedules, and for many, even with the best of intentions, it is very likely that an application developed today will contain vulnerabilities in it that will leave it open to attack. Veracode’s 2018 State of Software Security report found that 85% of all applications have at least one vulnerability in them. And when you factor in the increasing use of open source software, this just increases the risk for vulnerabilities. In fact, according to the State of Open Source Vulnerability Management report from Whitesource, reported vulnerabilities from open source components rose by over 52% in 2017 alone.
When it comes to Cybersecurity, many companies I have seen focus most of their efforts on securing the perimeter, or what I would call the “outside”. It involves things like threat detection, network protection, identity and access control, endpoint management and many other things like these. All of these are necessary and they are meant to keep good stuff in and bad stuff out. Now think back to the food analogy from earlier, this approach is similar to putting good leftover food into a container and storing it in the refrigerator. We have a “secure” environment that is specifically designed to keep food cold so that it can be safely consumed later. So then, why did the food go bad?
Simple. Because of what was already in it when we stored it.
With our food, we thought about what type of container to use, and we chose one appropriate for our refrigerator. We considered where inside to place it; whether in a humidity-controlled bin, on the inside of the door or strategically on a particular shelf. It’s safe to assume that; at no point did we consider placing it in a spot where it would spoil. Yet, even inside that sealed container, in the cold environment of the refrigerator, there is enough air and moisture to allow for the growth of microorganisms to occur. We want to, and should, take full advantage of sealed containers and refrigeration, but all those things are doing is really just slowing the process down. The problem here isn’t the device we used or the container we chose, it is what’s inside what we stored. Given enough time, those microorganisms result in mold, making something that was great into something unusable. If we wanted to maximize the shelf-life of the food we would need to protect from the inside out: we would need to find and remove as many of those microorganisms as possible.
Now think about your software applications.
They are written and then built. They are packaged into containers and those containers get delivered into environments that were specifically designed to hold them. And all is great — until the vulnerability that no one realized was in the application gets exploited and now the organization is at risk. And today, more than ever, application security is paramount to business success. In short, you need to protect from the inside out too.
And If that isn’t enough to convince you of the need for a comprehensive application security program, consider these additional facts. A 2019 report from Forrester (obtained from SecurityBoulevard.com) stated that the top two ways successful breaches were carried out were through web applications (36%) and software vulnerabilities (35%). These were also the same top two issues in the 2018 report. So, what does that mean? It means hackers and cybercriminals are most often looking to exploit existing weaknesses in the application layer, and the truth is that they are usually not hard to find. It means we can make extensive use of container technologies and we can have great networks, monitoring, alerts, endpoint management technique and threat detection models — but if we don’t protect from the inside out by securing the applications themselves we leave ourselves open and exposed.
So how do we secure the inside? That is what will be explored in this series. The first step though is to realize that security is a big part of the overall quality conversation. It is every bit as important as functional testing, performance testing, regression testing, UI testing, API testing and so on. Longer term, security has to be ingrained in the organizational culture.
The bottom line is that companies can no longer simply run scans using the same set of policies and tests from previous releases and assume that is enough to be secure. To truly protect from the inside out means integrating application security into development cycles with a comprehensive approach. After all applications are built focused on how they will perform and be used. Hours are spent designing and implementing innovative capabilities to differentiate from competitors. There is intense focus on the user experience, looking for ways to simplify and enhance it. And while no one wants to make insecure apps, how much time is really spent thinking about security?
Stay tuned for additional blogs in this series as we explore more details and aspects of a comprehensive application security program.