Addressing the problems with application security

Over the last few decades, enterprise cybersecurity has become increasingly vital for businesses when it comes to innovation, business operations, and risk management. The latest Global Threat Intelligence Report by NTT Ltd highlighted that weaknesses in application security are responsible for over half (55 percent) of all security attacks, yet only $3bn was dedicated to application security out of the reported $59bn spent annually on cybersecurity, according to Gartner’s 2020 Security Market Segment report. The latter in particular clearly suggests that many companies are investing disproportionately less in application security despite it being responsible for a large portion of security attacks.

In addition to this, when you also factor in the new norm of working from home and other remote working practices enforced by the Covid-19 pandemic, the need for implementing a dedicated, long-term approach to application security is now even more important than ever before. So how exactly have we got to this point, and what best cybersecurity practices can be adopted for the new normal?

The changing cybersecurity landscape

There was a time, not too long ago, when business executives had long and complex discussions on IT strategy, in which cybersecurity would be at the very bottom of the agenda. This is now firmly in the past as security today is one of the most important aspects of enterprise IT and business operations.

Most companies today have substantial digital assets and value that they need to protect, and many C-suite executives are worried about the serious threat that cyberattacks pose to their businesses. Company reputation is directly linked to cyberattacks such as security hacks and breaches, and company executives are being held more accountable for such security breaches in the eyes of privacy and data protection regulators.

In light of this, C-suite executives are focusing more on establishing the right security strategy to help them understand and address cyber threats in all their forms, but unfortunately, the difficulty of this task is starting to become apparent to many of them.

Historically, when it comes to enterprise security, companies have largely focused on the physical aspect of it in the form of network security as opposed to software or application security. This made sense at the time as the systems and hardware solutions in use were very much isolated and less complex.. IT departments also had complete oversight of their systems including personnel access, network pathways, and they were reasonably aware of all the possible security threats they faced within the network. This historical narrative goes a long way in explaining the proportional lack of investment in application security today compared to the overall cybersecurity budget allocation.

This is changing as business operations become increasingly more digital to the point where everything is connected and the security threat surface is much greater. Given the complexity of the multitude of systems and applications in use across large enterprises, questions are rightly being asked about whether this network perimeter-based approach to security can withstand newer and more sophisticated application architectures and cybersecurity threats.

Solving the application security conundrum

Application security is responsible for the safe and secure usage of software applications and data. It is a vital aspect of software development as it mitigates security flaws and vulnerabilities in applications, and ultimately prevents sensitive material such as business data from being compromised or stolen.

Companies today have to deal with applications and development frameworks that are evolving very rapidly, whilst also trying to deal with legacy-based technology that wasn’t built for security. This calls for a hybrid approach to cybersecurity that evolves traditional network security and software security thinking via a ‘Zero Trust’ model. Zero Trust is a multi-level security framework around an assumed breach position for all systems and devices within a network, and in essence, requires security practitioners to articulate explicit trust policies around application and data access.

This promotes greater focus and emphasis on data and application security, moving away from the existing network-centric approach that companies have traditionally relied on. In the newer model, any threats from compromised devices will be confined at that level (hardware) as this data-centric security model (Zero trust) prevents further unauthorized access to key information. It’s no surprise that 11 percent of cybersecurity professionals have already adopted the Zero Trust model with a further 47 percent looking to implement this model into their security infrastructure.

Another issue with application security is the lack of thorough testing during the secure software development cycle which leaves new software applications vulnerable to a string of security threats. Whilst its widely acknowledged that improving the security, quality, and resilience of software is paramount for developing safer and more robust applications, diligent security testing is often neglected in favor of faster software development and time to market.

In fact, this echoes the finding in a recent State of DevSecOps Research Report, which found that 75 percent of C-suite executives and frontline practitioners felt that manual security and compliance processes slowed down code release, ultimately delaying product time to market and affecting their competitiveness.

Understanding the threats

This highlights the need for automation in secure software development in order to enable companies to develop software at a faster, but also safer rate. This is where Balanced Development Automation (BDA) tools can be of great use as they focus on leveraging security proactively as a way of achieving speed to market whilst also adhering to set compliance regulations and standards. BDA tools leverage automation to conduct key proactive manual security processes that are often skipped due to being slow, siloed, and expensive, without slowing down time to market.

Whilst this is one way of ensuring that you are achieving a balanced approach to rapid and secure application development, companies also need to combine this with an equally robust security awareness training program that meets regulatory requirements. Software security training programs are a vital part of a business’ security processes and not only a requirement under many regulatory standards and laws but also helpful in fostering and maintaining a culture of security.

Security awareness training is another means to achieve greater security compliance from a regulatory perspective, especially as many regulatory standards mandate businesses to undergo employee security training in light of the rise in security breaches and cyberattacks. Regulatory standards such as General Data Protection Regulation (GDPR), Health Insurance Portability & Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA) all require organizations to implement security training programs.

Additionally, given that these regulatory standards are often changing their policies and regulations, companies also need to build a security architecture that consistently adheres to these rule changes without the need to revamp their cybersecurity measures or strategies. The key to a comprehensive and effective security training program is to deliver relevant and updated information consistently to the appropriate audience at a time that they’re inclined to absorb it.

Building and implementing a successful cybersecurity infrastructure is about a great deal more than just keeping a few harmful cyber threats at bay through consistent software security practices. It is about understanding all the possible cyber threats to the business, adopting and utilizing the right security tools that enable companies to ‘go fast and safe’, whilst also ensuring regulatory compliance, and fostering and maintaining a culture of security vigilance.