Gartner expects global enterprise security spending to increase 8% from 2017, reaching a total of $96.3 billion in 2018. Increased awareness of security threats (thanks to more high-profile breaches at companies such as Equifax) and regulatory compliance are two of the main drivers behind this increased spending.
Many security breaches are the result of neglected or abandoned applications. Cybersecurity threats change and evolve, and if applications stop updating, they can become vulnerable to new, unforeseen threats. This makes application security critically important for businesses.
You must devote a portion of your budget to application security. It is too often ignored, and the consequences can be severe. While many businesses cite cost as an excuse to ignore it, there are steps you can take to address application security in a cost-effective way. With the advent of countless inexpensive solutions, cost is no longer a valid reason for any business to neglect proper AppSec processes.
Ignoring these steps can end up costing you even more money—when your application security testing process fails (and it will fail if you ignore it), the repercussions can be expensive. The Equifax incident is a great example. The company announced the security breach in September of 2017, and nine months later, the share price still has not recovered. They have lost the public’s trust. Trust takes years to build, but can disappear in an instant—and good luck getting it back.
Let’s look at three processes necessary to implement a high-quality and cost-effective application security plan that gets more done with less effort (and money).
Build application security into the process
Application security is frequently ignored until the end of a build. Addressing AppSec as an afterthought is one of the most costly ways to approach it, and is part of the reason so many companies cite cost as their excuse for not bothering with it at all.
Studies have shown it can cost up to six times as much money to fix a coding issue in production than fixing it during development. Running AppSec testing on entire builds creates an enormous bottleneck; the entire production must come to a screeching halt, then scramble to fix a laundry list of vulnerabilities the development team didn’t know about.
Imagine if a fast food restaurant waited until everyone placed their order, then prepared all of those orders, then distributed them simultaneously. Does that make any kind of sense? Of course not; they’d be out of business immediately. They take, prepare, and distribute orders as they come, because it creates fewer problems, avoids backups in the kitchen, and keeps customers happy.
Just like any well-run processes, AppSec is best accomplished when it can be handled in smaller, more manageable chunks. It takes far less time and resources to fix a security issue before an application is deployed (or ramping up to deploy).
Frequent testing and monitoring aligns with the Agile methodology and Continuous Integration (CI) that many businesses now follow for application development.
Security scanning must be performed at each and every stage of development. If a build breaks, the identified vulnerabilities must be fixed before the build can continue, or the vulnerabilities will only multiply. That’s because chunks of code often create dependencies for future sections of code. Leaving vulnerabilities in code chunks that are critical to other processes increases the occurrence of these potential vulnerabilities in your end product.
It is true that some testing cannot be done until an application is complete, but if your team has been testing and addressing issues regularly during the development process, there will be far fewer issues to resolve once you have a running application.
A cost-effective application security testing process includes a remediation process. Continuous testing during development is great, but if you’re generating reports on identified vulnerabilities that are being ignored by developers, you’re wasting time and money. There must be a clearly defined, reproducible, dependable process in place to handle the vulnerabilities you find.
Threats and vulnerabilities must be logged into the system that developers are using. You need to be able to prioritize threats, assign them an owner and deadline, and track progress on remediation.
There are tools that accomplish this, which we will discuss in the next section. The main point to remember here is that application security cannot be treated as something that is done as an afterthought or outside of the larger development process. You can save money by spending resources upfront and staying on top of issues as they occur.
Application security testing tools
There are a wide variety of free open-source and paid commercial application security testing tools. Researching open-source tools that meet your needs is worth your time, as they can save you money, but don’t expect to rely solely on open-source solutions.
Proper application security testing requires the use of multiple types of testing, including Static Application Security Testing (SAST) tools, Dynamic Application Security Testing (DAST) tools, Interactive Application Security Testing (IAST) tools, and more. For a complete overview of these tools and the value they provide to application security testing, check out our recent blog post.
Find the right combination of tools and balance open-source with commercial options to ensure the money you do invest will provide thorough security coverage for your application. Demonstrating a strong ROI on security testing tools will also keep executives happy.
Using multiple types of tools will create some challenges. Each tool generates reports that need to be correlated and de-duplicated. This can eat up extra time, resources, and money, or—even worse—push you towards ignoring potential vulnerabilities.
An application security and correlation management system streamlines the above, making it easier (and in some cases possible) to use different tools and techniques together. With an automated AppSec correlation and management system, the entire process becomes accessible and convenient, truly integrated into the software development lifecycle.
The results from different application security testing tools are consolidated into a single, unified report. . Duplicates are removed, saving time, labor, and expense. Some of these tools can also examine results from SAST tools using DAST tools, a process called Hybrid Analysis. That means you can now quickly (and cost-effectively) cross-reference potential vulnerabilities found by SAST tools with results from DAST tools to determine which threats are actually exploitable.
Priorities can be appropriately set, with resources devoted to the highest-level threats. Fixing the most critical threats first delivers a better ROI on the tools you’re using, and adds more value to the entire application security process.
A quality application vulnerability correlation and management tool will also integrate with software development and issue management tools such as Jira and Jenkins, enhancing collaboration between developers and security analysts. Truly effective tools in this category allow developers to view vulnerabilities without leaving their preferred development environment. Progress can be tracked to ensure an owner is assigned and issues are resolved promptly.
When integrated into the process with an AppSec management system, AppSec testing becomes a part of the normal workflow, as opposed to a nuisance side task that is assigned on top of development work and outside the development process.
An application vulnerability correlation and management tool is the best way to get the most out of the testing tools and techniques you’re using (especially the ones you’ve purchased), reduce time and money spent sorting through results, and ensure threats are properly addressed so you don’t waste more time and more money fixing them in production.
This may be the most important—and most challenging—area to address. Your entire team of developers needs to be committed to application security if you’re going to achieve a more efficient and cost-effective process. And your team can’t just pay lip service to AppSec; they have to truly believe it is important.
This starts at the top—with you showing your full commitment to the importance of application security. You need to make an investment in it to show your team just how important it is.
If your team is currently working on an application with known security vulnerabilities, a suggested approach is to stop work on new feature requirements and give them one or two weeks to correct outstanding issues. Once you’re back to ground zero with no known issues, work can resume with a full joint commitment to maintaining a “zero broken build” status.
Working continuous testing into your process will identify new issues with each build. Your team must address them immediately—before the next build can begin.
Your whole team—software engineers and developers—must be trained in secure programming so it becomes part of the coding process and part of their mentality. The end goal is to have a developer take it personally when a vulnerability is found. They should feel proud of error-free work.
Your team is less likely to address issues if they have to switch to another tool to see what threats have been found. Collaboration tools such as a vulnerability and correlation management system help with this attitude adjustment by integrating application security into the development process. Developers are more likely to take ownership of issues and resolve them when they are tracked within the system they are already using. This makes it easy for them to embrace application security.
Provide positive feedback as builds progress without errors, even if it takes a little more time. Keep in mind that this will save you time and money to do it right the first time, rather than fixing at or just before deployment.
This new focus on creating secure applications make take time to reinforce, but it’s important to remember that the one issue you ignore or fail to correct could be the one that results in a breach that costs your business a fortune and destroys your company’s reputation.
You probably have a limited amount of time, resources, and money you’re able to devote to application security testing. Adjust your process and attitude and use the right tools to make sure you get the most value out of the resources you have.
Use the right combination of free and commercial tools to keep costs down. Integrate AppSec into the development process from the start so issues can be addressed quickly and cost-effectively. Take the time to get your whole team on board. 100% commitment to application security translates directly to fewer threats, faster remediation, and of course less time and money spent fixing issues. The end result is a secure application with money left in your company’s pocket.