Breaking Down The Critical Security Controls: CSC 18 – Application Security
The list of the top 20 Critical Security Controls is almost completed. Number eighteen gets more granular and focuses on applications directly. The controls thus far has slowly started broad and narrowed down, number eighteen is one of the more difficult and critical to address.
When you talk about application security the easiest explanation is two words, Zero Day. The vulnerability with an exploit that leaves applications open for takeover. Today anyone can build and release an applications in a very short amount of time but without proper security practices and processes in place around how the application is built, you are leaving your users and yourself at high risk. Not If but When.
Here’s what the control says –
Manage the security life-cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
This control is perhaps the most comprehensive in a security program. This control encompasses people, process and technology. Not having all three involved will leave your application’s open to exploits and data loss.
People – Educate, train and make them aware. Start with the OWASP Top 10 but don’t stop there. Integrate training into the life cycle process, don’t leave it to be once a year reviews. Change how the training is approached as well. Instead of focusing on a practice, show the application team’s how easy some vulnerabilities can be exploited. Include the application teams in regular vulnerability alerts. Keep them aware of new breaches, techniques and lessons learned from other breaches to help them keep best practices in mind as they create.
Processes – The Software Development Life Cycle (SDLC) must exist from conception to delivery. As the world trends toward a more Agile based approach to application development, security is left behind. Agile is about speed, security steps slows that down to the ever-sacred story and backlog. Security reviews, checks and signoffs must be part of the organic development process and not a checkbox outside. This means tighter integration of security teams throughout the cycles, closer to the developers and included from the first day of a sprint. If not the application will continue to be developed and released before proper security is reviewed and re-mediated. With each subsequent release those security gaps gets larger and harder to close.
Technology – You cannot address this control without technology solutions. It’s impossible. Static code scanners built into the IDE tools of the developers are required. Whenever a code base is checked in scanners should review it. Have blocks that no code can be released with any critical findings. Human eyes and test the functions and easy to find security gaps but the deeper ones from SQL injection, input vulnerabilities, session breakdowns cannot be done without technology to perform those checks.
PPT, people, process and technology in an integrated program will make your applications more secure.
How It Could Be Exploited
Open a newspaper… or open any tech blog… and you’ll see how it’s being exploited. Zero days, vulnerabilities, ransomware are all using gaps in applications. Hackers spend months and years poking, prodding and meddling with applications looking for the unknown obscure security gap to exploit. They install the application in a lab and attack it, constantly, looking for anything that can get them through. You have to assume that if you have an application, it’s being looked at for an exploit. Why do you think there are so many patches for an application?
This post is short and cannot emphasize enough the importance of application security. The growing threat in the world today is from poor application development in the form of IOT (Internet of Things). The race to get devices and applications released first has left security in the dust. Hackers know this and have begun using those vulnerable devices to their advantage.
Proper application security begin before the first line of code is written.
End of line.