Toward zero-trust: 8 steps to boost app sec

public://pictures/John-Mello-Journalist.png
John P. Mello Jr., Freelance writer, Independent

Application security has many organizations worried—and for good reason. But there are steps you can take to mitigate at least some of the threats. 

Application breaches are on the rise, and so are the security risks of running business-critical apps in unprotected environments. Companies are also not adequately investing in application security until after breaches occur, resulting in loss of productivity, customer trust, and revenue.

Consider these findings from a recent study of 1,400 IT and security practitioners by the Ponemon Institute on behalf of Arxan Technologies, an application security provider:

  • 75% of organizations have likely, most likely, or definitely experienced a material cyber attack in the last year due to a compromised application.
  • 64% of IT pros are concerned or very concerned that their organizations will be hacked through an application.
  • 54% expect the severity of the threats to their organizations to increase in 2018.
  • Only 25% of IT practitioners say their organization is making significant investments in solutions to prevent application attacks.

"This is a big deal," said Rusty Carter, vice president of product management at Arxan.

"It’s not pocket change. The average data breach costs almost $4 million when you include lost customers, the impact to operations, and your insurance costs going up."
Rusty Carter

Here's why zero trust is key—plus eight steps for boosting your application security.

Application Security Research Update: The State of App Sec in 2018

Apps make attractive targets

All application usage has been growing, especially for web applications. Nitzan Miron, vice president of product management for application security at Barracuda Networks, pointed out that in 2010, the average organization had 5 web applications; in 2018, it's 54.

"Where before an organization may have had a corporate website and a blog, now an entire business can be running on web applications."
Nitzan Miron

What that means is the data handled by those applications is much more valuable and much more attractive to threat actors.

"If you hack into somebody's corporate website, the best you can do is vandalize it," Miron explained. "If you hack into their blog, the best you can do is deface it. But if you can hack into the payroll system, you can get everybody's Social Security number. If you hack into HR, you can get everybody's work history."

Jeff Williams, CTO and co-founder of Contrast Security, noted that applications, on average, contain a staggering 26.8 serious vulnerabilities each.

"Applications are the leading cause of breaches by a wide margin—more than twice the next leading cause. Attacks searching for these vulnerabilities are also widespread. The typical application can expect to see thousands or millions of attacks each month."
Jeff Williams

Information goodies aren't the only reason apps attract hackers, said Chris Wysopal, CTO of CA Veracode.

"Attackers don't just attack apps to get at the data they access, but also to use them as steppingstones to hop further into an organization's network."
Chris Wysopal

Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, said off-the-shelf software that's continually updated is adding to the worry. 

"For many businesses today, web applications act as the front door to their organizations. The complexity of the problem is growing."
Leigh-Anne Galloway

Key steps to boost app sec

1. Secure your APIs

Anything that exposes an application to potential malicious access is fair game for attackers. That includes APIs, even though their attack surfaces can be tightly restricted.

Security for APIs can be overlooked when they're used to dynamically generate content on a website. "You generally only intend to use those APIs yourself, so security is often lacking," explained Reid Tatoris, vice president for product marketing and outreach at Distil Networks, a bot mitigation and API security company.

"We've seen a large increase in hackers exploiting internal APIs that web apps use," he said.

Mobile APIs are also targeted by hackers, who use malware to hijack a mobile device or steal credentials. Once they access the API, they use it to scrape data from their target.

APIs need to be evaluated with an eye to what access to sensitive data and resources they're exposing. "That's just as important as security for other aspects of applications," observed Scott Crawford, research director for information security at 451 Research.

2. 'Fuzz' your apps

A common tactic deployed by threat actors is to break an application, hoping it will expose an attack surface. Buffer overflows are a typical example of that. To guard against those kinds of assaults, organizations should "fuzz" their apps. That means experimenting with throwing all sorts of unanticipated input at an app to see how it responds.

"Adversaries can be very creative in the ways they seek to evaluate how applications will respond," Crawford said. "That's why having good visibility into how applications perform under any number of circumstances should be a priority for organizations."

3. Shift security left

Moving security left, to earlier in the development lifecycle, is another way to improve an application's security environment. That's because security issues often appear first in the application's code.

The earlier those issues can be discovered, the more secure the app will be in the long run. It also lowers the cost of protecting the app because it costs less to catch flaws early in the process than when the software is about to be deployed.

"It is often not possible to protect or detect application attacks with a network security solution such as an IDS or a firewall," CA Veracode's Wysopal explained. "That is why it is important to reduce the number of vulnerabilities in an application during the development process."

Positive Technologies' Galloway asserted that it's critical to implement automated code at the point of software development. "By doing that, security is integrated at the point of software creation," she said.

The shift-left approach, though, isn't for everyone. Small and medium-sized businesses "don't have the resources to do that," Barracuda Networks' Miron noted.

Securing code is only part of the challenge, added Brian Contos, CISO of Verodin, the maker of a platform to measure, manage, and improve cybersecurity effectiveness. "App security requires a layered approach—starting with creating secure apps, managing those apps in the enterprise, and protecting the code from reverse engineering, as well as protecting and monitoring the systems those apps interact with," he said.

4. Identify application dependencies

The growth in the use of third-party components in applications has increased the risk of application compromise. "These days, because of the complexity involved in an application, there's just so much happening that you can't write all the code yourself," explained Raj Rajamani, vice president of product management at SentinelOne. "There are so many open-source projects that ... can reduce your time to market."

To get a handle on those third-party risks, organizations need to gain visibility into what open-source components are used by their applications and how they're used. They can do that through the use of software composition analysis tools. "I expect to see continued adoption of software composition analysis for the next several months," 451 Research's Crawford said.

5. Scan application code for vulnerabilities

A number of tools and service firms will test code for errors before it's deployed. These scans can reveal common flaws such as cross-site scripting vulnerabilities. "That's a basic type of visibility that developers should get," SentinelOne's Rajamani said.

Organizations should demand that software applications—either built or bought by their organization—be tested for vulnerabilities before they are released, observed Anita D'Amico, CEO of Code Dx. "Applications must be subjected to both static application security testing performed on the source or binary code, as well as penetration testing," she said.

"Organizations should also require that software suppliers demonstrate proof that the application being delivered has been adequately tested for security weaknesses," she added.

CA Veracode's Wysopal explained that one of the most important facets of application security is to test every application at least once to understand if there is significant risk that must be remediated. "Sadly, some applications aren’t even getting scanned once," he noted.

"There is an attitude that only the most critical apps should get tested," he continued. "This leaves an opening for attackers, who often breach an organization through an application that was thought of as low-risk."

6. Perform penetration testing

Hiring hackers to break into your network through an application is a common way to expose vulnerabilities. Organizations will enlist penetration testers and bug bounty hunters as a way to beef up application security. The practice has been so successful that even government agencies, including some military services, have launched bug bounty programs to test their security.

Jason Haddix, vice president of trust and security at Bugcrowd, explained that application security begins with threat modeling. This means determining where sensitive data is handled, what apps are handling it, and how are they handling it. "That alone is no small task," he said. "After that you need to verify your codebase is hardened by inviting outside specialists ... to test the application and submit flaws to you."

SentinelOne's Rajamani added that large organizations are becoming increasingly aware of penetration testing. "They have their own red teams take a crack at their applications," he noted.

"That's something new and wasn't seen as recently as two years ago."
—Raj Rajamani

7. Validate back-end security systems

Applications don't operate alone. They interact with server apps, databases, and networks. Those systems need to be secure, too, but too often they're not.

Firewalls, intrusion prevention systems, web application firewalls (WAFs), data loss-prevention tools, endpoint security controls, and other solutions can all provide a great amount of value. However, those systems are rarely validated, and organizations simply assume they are operating as needed. But many suffer from misconfigurations, incomplete deployments, or environmental drift, which happens when something that was providing security stops doing that.

"Security based on assumptions is common and it's a massive problem leading to poor security ROI and breaches," Verodin's Contos said. "As dependency on secure apps increases, so does the need to validate that the back-end systems are also secure."

8. Foster a culture of security

Organizations should nurture a "security-positive" culture. "This makes a real difference in the success of adopting security policies," Positive Technologies' Galloway said.

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

The future holds promise

In the end, application security consists of information about what the app is doing as it's doing it. "In the future, application security will correlate information about what's happening at the endpoints with behaviors seen on the server to get a more complete picture of the application as a whole," explained Aaron Lint, vice president for research at Arxan.

"Accumulating endpoint events with server events and seeing that entire workflow is the most promising way to detect threats over the lifetime of an application," he added.