Since 2004, DHS has declared October National Cybersecurity Awareness Month in an effort to—you guessed it—raise awareness about our shared responsibility in keeping cyberspace secure for everyone. I’m all for educating people about security threats and what they can do to prevent breaches, but there must come a time when awareness turns to action.
This will be the thirteenth NCSAM. This effort has just graduated high school. When is it going to enter the real world?
The tragic truth is that the industry simply has not met expectations when it comes to security. Equifax—Equifax, one of three credit reporting companies that the entire economy has relied on for decades—was just breached because of a flaw in their software, which they were aware of and could have patched. As much as half the US population—a staggering 143 million people—has had their most critical information exposed, all due to application security vulnerabilities that weren’t properly addressed.
Organizations that deploy any type of software—web apps, mobile apps, desktop software—must act on what they know: that most security breaches are traceable back to software vulnerabilities. When a company releases software, customers have a reasonable expectation that their data will be protected. We all make a decision to trust that these organizations will be good stewards of our private information—but time after time, they fail to do so.
So what’s stopping you? You know the risks, you know the threats, you know the policies, standards, and best practices that you should be doing. Why don’t companies take the steps necessary to protect themselves, their customers, and their data? Well, usually for three reasons: budget, time, and difficulty.
It’s perfectly understandable that companies are hesitant to expend resources doing something that isn’t easy, and poses a difficult ROI picture. The bottom line is, after all, the bottom line, and it can be hard to assess the value of the attack that you prevented.
But these objections are just excuses, and in part are based on false premises. It does not have to be as time-consuming, expensive, or difficult as you think.
You don’t need to do it all to get rolling with an Application Security program. You don’t start at the finish line, after all.
The way to start is with steps that are reasonable, and appropriately scaled to your product and business. You may need more than a bare minimum approach if your rollout is larger than average, but something is better than nothing. The point is to start, and commit to improving incrementally. AppSec isn’t any single thing; it’s a process that takes time. So, start smaller if you have to. Any application security is better than none. It will, at the very least, allow you to assess how secure your applications are, so you can take steps to mitigate the risk in other ways.
There are a lot of steps that you can take today that won’t cost you anything but time.
- Start by talking with your development team. Find out what kind of steps they take to keep their code secure. See if they’re working with your security or QA team to follow up on vulnerabilities. Give them AppSec training if you haven’t already. They’re smart people who want to do the right thing; you just need to give them permission to worry about security, and the resources to actually do something about it.
- Adopt secure coding policies and practices, and stick to in-house standards. You (hopefully) already have password and user access policies, and all sorts of other network security policies and practices. Why not develop some standard policies and practices to keep your code secure, too?
- Analyze your source code for vulnerabilities. You need to know what’s in your code in order to fix the problems. There are plenty of useful automated application security testing tools available—there are even free open-source tools. Get in the habit of using them as you produce code, and you’ll be stunned at the positive impact on quality and security.
This is only the beginning, but it’s a good place to start. After this comes dynamic testing, penetration testing, employing multiple tools, managing vulnerabilities, and integrating it all into your software development process. You no longer have a choice; once you decided to expose your software to the internet, you accepted the responsibility to make it secure. It’s a long journey, but you know what they say about it beginning with a single step.
If you aren’t sure where to start, contact us. We can help you get your AppSec program off the ground.
Don’t just be aware. Do something!