Improving app security

April 26th, 2021 in Blog

Minimize risk with these five application security best practices.

Written for business and technical decision-makers, this blog post makes the case for a security-first approach to software development. Learn about the threat landscape. Discover tools that Intelliware developers prefer to use to harden apps, and best of all, integrate our five best practices in your development process.

Let’s be clear – cybersecurity concerns us. As a company that develops custom software for fintech, financial, and public sector clients, we’ve launched apps as the security landscape evolved in complexity and intensity for over 30 years.

Cyberthreats represent a growing concern to enterprise and mid-market organizations worldwide, in both the private and the public sector. By all accounts, cyberattacks have increased both in frequency and sophistication. Since the start of the global pandemic, cybercrimes have risen at an alarming rate.

How prevalent are cyberthreats?

In Canada, 2020 data from StatsCan indicates that almost half—43 percent of large businesses (employers of more than 250 people)—reported a cybersecurity incident in 2020. And that was before every organization that could went virtual because of the pandemic. According to the Canadian Centre for Cybersecurity, the pandemic inspired several new “themed attacks” targeting industries like healthcare.

Unfortunately, in the USA, the numbers look just as concerning. The FBI’s 2020 Internet Crime report identified an increase of 300,000 more complaints of cybercrimes in 2020 which contributed to losses of more than US$4.2 billion. In her article for TechTarget assessing the cybersecurity landscape, journalist Mary K. Pratt explains how diverse American security experts are all reporting a dramatic surge in cyberattacks.

Application security

But what about app security? As a point of vulnerability, decision-makers share a growing concern about app security and the popularity of SaaS products. When employees leverage third-party SaaS apps for the sake of convenience, shadow IT follows. It’s the kind of thing that keeps IT and compliance teams up at night.

Decision-makers are right to worry about app security. Research data suggests a prevalence of app security vulnerabilities.

Veracode’s 2020 State of Software security, Volume 11, reports that:

76 percent of applications have some sort of security flaw
24 percent of applications have a high-severity security flaw

As apps increase in prevalence and sophistication, they represent a persistent area of vulnerability for organizations. Veracode identified the most common app flaws as:

Information leakage, when apps reveal sensitive technical details about the app, environment, or user
CRLF Injection attacks, when characters get injected into an app through vulnerabilities like user forms or HTTP requests
Cryptographic issues, when developers create vulnerabilities by relying on weak algorithms or by misusing password salts
Code quality, when a lack of processes, architecture, and/or team commitment results in messy/buggy code that’s open to vulnerabilities
Credentials management, when the way apps store and manages usernames and passwords results in credentials-based attacks

Some good news

The good news is that the marketplace has responded with technology innovation and improved regulations. Developers have useful tools to help bolster app security. While no single practice or technology could ever prevent breaches and attacks outright, assembling enough of them together as part of a layered security strategy can help.

Security is a strategy, not just a tactical initiative. Organizations need to make it a priority, especially as they embark on digital transformations.

With a strategic approach in mind, let’s look at five best practices for improving application security based on our years of custom software experience.

1. Assign security to everyone

Treat security as a cultural imperative by assigning the responsibility to everyone. Implement a security-first approach where every developer takes responsibility for hardening processes and products. Companies need to ensure they have a security decision-maker to cultivate a security-first environment. That individual must truly understand the technology, know the processes for developing and implementing a robust security strategy, and be willing to advocate for improvements.

Cultivating a security first culture in developers and addressing security early and often in the development process are important for building secure applications.

2. Train and certify developers

As cybersecurity attacks continue to increase in sophistication and prevalence, developers require ongoing security training and certification to stay current. Developers in search of a training platform with security courses will find numerous paid and free options online. Plus, technology leaders like AWS, Microsoft, Google, Oracle, and Cisco all offer free virtual skilling classes for developers.

Intelliware developers grow their knowledge and skills by working collaboratively with their peers, upgrading their skillset with virtual classes, and applying those new digital skills.

3. Review every development process

The environment in which developers code, including the tools and systems they rely on, should get reviewed. Make sure your development processes, pipelines, and platforms have non-negotiable security milestones built in. Include security in your QA planning and testing. Identify and test every link in the chain. The rapid growth of remote workers demands tighter and more secure development processes.

4. Deploy frequently, preferably daily

Embrace Agile and empower teams to deploy frequently, even daily. Frequent releases create more visibility and transparency, making any bugs and vulnerabilities more likely to get detected. Moreover, by adopting Agile, businesses can drive a universal product delivery mindset, empowering product and technology owners and developers to produce better, more secure applications, faster.

For best results, Agile practices must be adopted in totality. Learn more about Agile adoption and the delivery mindset.

5. Test, test, then test again

Take advantage of modern security tools and automation technologies to test your software throughout the process—from requirements gathering to QA. Remember, no tool or technology or solution can single-handedly make your applications secure. Instead, layer your security.

Bonus practice! Leverage developer communities

Also, it pays to stay connected to developer communities. Whether that’s an Agile community, an Open Source one like The OWASP^® Foundation, or partner communities, like Amazon Partner Network or Microsoft Partner Network. Staying connected to peers helps developers discover new strategies and tactics and learn about vulnerabilities.

Develop with open source? The OWASP^® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences. They offer a comprehensive list of open source code analysis tools.

Tools and Practices that get a thumbs up from Intelliware developers

Developers use a diverse array of tools to harden application security.
SonarCloud empowers developers to write cleaner code
Use your cloud provider’s secret manager, e.g., AWS Secrets Manager or Azure Key Vault
Use web application security testing platforms like Acunetix, which can be tied into the development pipeline
Don’t write your own authentication. Use a standard like OIDC and a third-party provider like Okta or Cognito
Don’t write your own crypto or create your own hash functions, both of which are very technical and easy to get wrong

That’s just the start. In a future post, we will provide a more comprehensive look at the technologies and practices we leverage to security-harden apps.

Conclusion

The pandemic has only served to increase the frequency and sophistication of cyberattacks, making improving security an organizational must.

Because no single tool or practice could ever hope to protect an organization or application from cyberattacks, those who adopt a layered security approach can leverage diverse practices and tools.

Decision-makers and development team leaders must make a cultural commitment to security that includes training and certification.