Improving app security
April 26th, 2021 in Blog
Written for business and technical decision-makers, this blog post makes the case for a security-first approach to software development. Learn about the threat landscape. Discover tools that Intelliware developers prefer to use to harden apps, and best of all, integrate our five best practices in your development process.
Let’s be clear – cybersecurity concerns us. As a company that develops custom software for fintech, financial, and public sector clients, we’ve launched apps as the security landscape evolved in complexity and intensity for over 30 years.
Cyberthreats represent a growing concern to enterprise and mid-market organizations worldwide, in both the private and the public sector. By all accounts, cyberattacks have increased both in frequency and sophistication. Since the start of the global pandemic, cybercrimes have risen at an alarming rate.
In Canada, 2020 data from StatsCan indicates that almost half—43 percent of large businesses (employers of more than 250 people)—reported a cybersecurity incident in 2020. And that was before every organization that could went virtual because of the pandemic. According to the Canadian Centre for Cybersecurity, the pandemic inspired several new “themed attacks” targeting industries like healthcare.
Unfortunately, in the USA, the numbers look just as concerning. The FBI’s 2020 Internet Crime report identified an increase of 300,000 more complaints of cybercrimes in 2020 which contributed to losses of more than US$4.2 billion. In her article for TechTarget assessing the cybersecurity landscape, journalist Mary K. Pratt explains how diverse American security experts are all reporting a dramatic surge in cyberattacks.
But what about app security? As a point of vulnerability, decision-makers share a growing concern about app security and the popularity of SaaS products. When employees leverage third-party SaaS apps for the sake of convenience, shadow IT follows. It’s the kind of thing that keeps IT and compliance teams up at night.
Decision-makers are right to worry about app security. Research data suggests a prevalence of app security vulnerabilities.
Veracode’s 2020 State of Software security, Volume 11, reports that:
As apps increase in prevalence and sophistication, they represent a persistent area of vulnerability for organizations. Veracode identified the most common app flaws as:
The good news is that the marketplace has responded with technology innovation and improved regulations. Developers have useful tools to help bolster app security. While no single practice or technology could ever prevent breaches and attacks outright, assembling enough of them together as part of a layered security strategy can help.
Security is a strategy, not just a tactical initiative. Organizations need to make it a priority, especially as they embark on digital transformations.
With a strategic approach in mind, let’s look at five best practices for improving application security based on our years of custom software experience.
Treat security as a cultural imperative by assigning the responsibility to everyone. Implement a security-first approach where every developer takes responsibility for hardening processes and products. Companies need to ensure they have a security decision-maker to cultivate a security-first environment. That individual must truly understand the technology, know the processes for developing and implementing a robust security strategy, and be willing to advocate for improvements.
Cultivating a security first culture in developers and addressing security early and often in the development process are important for building secure applications.
As cybersecurity attacks continue to increase in sophistication and prevalence, developers require ongoing security training and certification to stay current. Developers in search of a training platform with security courses will find numerous paid and free options online. Plus, technology leaders like AWS, Microsoft, Google, Oracle, and Cisco all offer free virtual skilling classes for developers.
Intelliware developers grow their knowledge and skills by working collaboratively with their peers, upgrading their skillset with virtual classes, and applying those new digital skills.
The environment in which developers code, including the tools and systems they rely on, should get reviewed. Make sure your development processes, pipelines, and platforms have non-negotiable security milestones built in. Include security in your QA planning and testing. Identify and test every link in the chain. The rapid growth of remote workers demands tighter and more secure development processes.
Embrace Agile and empower teams to deploy frequently, even daily. Frequent releases create more visibility and transparency, making any bugs and vulnerabilities more likely to get detected. Moreover, by adopting Agile, businesses can drive a universal product delivery mindset, empowering product and technology owners and developers to produce better, more secure applications, faster.
For best results, Agile practices must be adopted in totality. Learn more about Agile adoption and the delivery mindset.
Take advantage of modern security tools and automation technologies to test your software throughout the process—from requirements gathering to QA. Remember, no tool or technology or solution can single-handedly make your applications secure. Instead, layer your security.
Also, it pays to stay connected to developer communities. Whether that’s an Agile community, an Open Source one like The OWASP® Foundation, or partner communities, like Amazon Partner Network or Microsoft Partner Network. Staying connected to peers helps developers discover new strategies and tactics and learn about vulnerabilities.
Develop with open source? The OWASP® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences. They offer a comprehensive list of open source code analysis tools.
That’s just the start. In a future post, we will provide a more comprehensive look at the technologies and practices we leverage to security-harden apps.
The pandemic has only served to increase the frequency and sophistication of cyberattacks, making improving security an organizational must.
Because no single tool or practice could ever hope to protect an organization or application from cyberattacks, those who adopt a layered security approach can leverage diverse practices and tools.
Decision-makers and development team leaders must make a cultural commitment to security that includes training and certification.