Saturday, November 4, 2023

The Stark Revelations Of App Sec Today - Must Read

 


In yesterday’s blog, I wrote about Patch Tuesday, and the need to develop secure source code in creating the applications.  This is an effort to mitigate the amount of total patches that you will need in the end.  But there is another that is closely related to this, and this has to do with what is known as “Application Security”.  A technical definition of it is as follows:

“AppSec is the process of finding, fixing, and preventing security vulnerabilities at the application level, as part of the software development processes. This includes adding application measures throughout the development life cycle, from application planning to production use. In the past, security happened after applications were designed and developed. Today, security is “shifting left”.”

(SOURCE:  https://www.checkpoint.com/cyber-hub/cloud-security/what-is-application-security-appsec/).

So while software security deals with the code itself, Application Security (also called “App Sec”) deals with the vulnerabilities, gaps, and weaknesses after the application has been launched, and is continuing to be used throughout its lifetime. 

But this is more all-encompassing, as it also includes the hardware, and the databases that are used to store the information and data that are submitted to by customers and prospects.

A recent report that was launched and published by the Purple Book Community reveals just how alarming AppSec is not taken seriously enough by Corporate America.  It is entitled “State of Application Security”, and it can be downloaded at this link:

http://cyberresources.solutions/blogs/App_Sec.pdf

The survey pool consisted of the following titles:

*CISOs

*Security Engineers

*Software Developers

*Application Security Engineers

*Other C Suite Executives

Here are some of the highlights of what was discovered:

*48% of the respondents claim that their IT Security can support over 50+ software developers.

*42% can only support one to five software developers.

*24% of the respondents claim that they have no security support for software developers.

*On average, there are 100+ software developers for just one IT Security team member.

*It was discovered that vulnerabilities happen multiple times during the launch of a product and during its entire lifecycle, which nobody really seems to pay too much attention to.

*Only 21% of the respondents say that remediate a vulnerability at the AppSec level within a timespan of just one day.  (More details can be seen at this link:  https://www.darkreading.com/edge/remediation-ballet-is-a-pas-de-deux-of-patch-and-performance)

The bottom line is that these numbers are indicative that security is not even a priority in the development or the production release of the application.  Also, the very slow remediation times is also compounding the problem of a lack of response to AppSec.  But here is something else that is interesting which the study revealed:

*100% of the respondents claim that they are or at least planning to deploy all of their software applications and entire infrastructures into a Cloud platform, such as that of the AWS or Microsoft Azure. 

Although the Cloud providers do a reasonably good job in providing the needed tools to secure these apps, the tenants need to take their part in protecting them as well to.  For instance, businesses need to make sure that the settings they use are not the default ones, but rather, are the ones that specifically meet their security requirements. 

Doing this will also greatly mitigate the risks of data leakages in happening.

Thus, there is a greater call now among CISOs to quickly adopt the principles of DevSecOps.  In a general sense, this is where the IT Security and Operations teams come together and work in unison with the software development teams to act as a double check of not only the source code, but the completed web application as well before it is rolled out into the production environment.

More information about Cloud Security can be seen at the link below:

https://www.darkreading.com/google-cloud-security/considerations-for-reducing-risk-when-migrating-to-the-cloud

Another key problem that is compounding the problem of the lack of AppSec resources is the extremely limited availability of needed funding.  In the survey, this was discovered:

*22% of the respondents have no budget or funding at all.

*About 35% of the respondents claim that they have some sort of budget, but there will be no increase to it in 2024.

Because of this lack of money, only 38% of the respondents have barely defined any kind or type of AppSec program for their business.

My Thoughts On This:

In response to these dismal numbers, the Purple Book Community has just launched what is known as the “Scalable Software Security Maturity Model”, also known as the “S3M2” for short.  More information about this can be seen at the link below:

https://www.thepurplebook.club/s3m2

 

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...