In yesterday’s blog, I wrote about Patch Tuesday, and the
need to develop secure source code in creating the applications. This is an effort to mitigate the amount of
total patches that you will need in the end.
But there is another that is closely related to this, and this has to do
with what is known as “Application Security”.
A technical definition of it is as follows:
“AppSec is the process of finding, fixing, and preventing
security vulnerabilities at the application level, as part of the software
development processes. This includes adding application measures throughout the
development life cycle, from application planning to production use. In the
past, security happened after applications were designed and developed. Today,
security is “shifting left”.”
(SOURCE: https://www.checkpoint.com/cyber-hub/cloud-security/what-is-application-security-appsec/).
So while software security deals with the code itself,
Application Security (also called “App Sec”) deals with the vulnerabilities,
gaps, and weaknesses after the application has been launched, and is continuing
to be used throughout its lifetime.
But this is more all-encompassing, as it also includes the hardware,
and the databases that are used to store the information and data that are
submitted to by customers and prospects.
A recent report that was launched and published by the Purple
Book Community reveals just how alarming AppSec is not taken seriously enough
by Corporate America. It is entitled “State
of Application Security”, and it can be downloaded at this link:
http://cyberresources.solutions/blogs/App_Sec.pdf
The survey pool consisted of the following titles:
*CISOs
*Security Engineers
*Software Developers
*Application Security Engineers
*Other C Suite Executives
Here are some of the highlights of what was discovered:
*48% of the respondents claim that their IT Security can
support over 50+ software developers.
*42% can only support one to five software developers.
*24% of the respondents claim that they have no security
support for software developers.
*On average, there are 100+ software developers for just one
IT Security team member.
*It was discovered that vulnerabilities happen multiple times
during the launch of a product and during its entire lifecycle, which nobody
really seems to pay too much attention to.
*Only 21% of the respondents say that remediate a
vulnerability at the AppSec level within a timespan of just one day. (More details can be seen at this link: https://www.darkreading.com/edge/remediation-ballet-is-a-pas-de-deux-of-patch-and-performance)
The bottom line is that these numbers are indicative that
security is not even a priority in the development or the production release of
the application. Also, the very slow
remediation times is also compounding the problem of a lack of response to
AppSec. But here is something else that
is interesting which the study revealed:
*100% of the respondents claim that they are or at least
planning to deploy all of their software applications and entire infrastructures
into a Cloud platform, such as that of the AWS or Microsoft Azure.
Although the Cloud providers do a reasonably good job in
providing the needed tools to secure these apps, the tenants need to take their
part in protecting them as well to. For
instance, businesses need to make sure that the settings they use are not the
default ones, but rather, are the ones that specifically meet their security
requirements.
Doing this will also greatly mitigate the risks of data
leakages in happening.
Thus, there is a greater call now among CISOs to quickly
adopt the principles of DevSecOps. In a
general sense, this is where the IT Security and Operations teams come together
and work in unison with the software development teams to act as a double check
of not only the source code, but the completed web application as well before
it is rolled out into the production environment.
More information about Cloud Security can be seen at the link
below:
Another key problem that is compounding the problem of the
lack of AppSec resources is the extremely limited availability of needed
funding. In the survey, this was discovered:
*22% of the respondents have no budget or funding at all.
*About 35% of the respondents claim that they have some sort
of budget, but there will be no increase to it in 2024.
Because of this lack of money, only 38% of the respondents
have barely defined any kind or type of AppSec program for their business.
My Thoughts On This:
In response to these dismal numbers, the Purple Book
Community has just launched what is known as the “Scalable Software Security
Maturity Model”, also known as the “S3M2” for short. More information about this can be seen at the
link below:
https://www.thepurplebook.club/s3m2
No comments:
Post a Comment