This article was first published on United States Cybersecurity Magazine.
Cybersecurity news is a curious thing. For the most part it’s bad news. Companies have been breached, risks are ever increasing, and another billion-dollar crypto raid is under investigation. Feels like we have enough to be worried about in 2022 without adding more.
Application security is a category within a category and has been top of many security teams’ radars for the best part of a decade. Why? Because companies use complex web applications to interact with their customers and manage a lot of sensitive data. Despite the obvious need, application security gets a bad rap.
The barriers to entry can be a mix of the following:
- The people skills to do application security properly are in demand, hard to find, and expensive.
- The tools are complex.
- Tooling can be expensive (and when it’s not, skills need to go up – see point 1)
- Tooling can be disruptive to the build process.
- Security is an ever-changing landscape.
- Security isn’t a priority for everyone.
To add to the pain, when you get all of the above (somewhat) in place, you are faced with another barrier to security: Vulnerabilities.
The average number of vulnerabilities in a web application has been climbing for a decade. As the use of scanning tools increased – so did awareness. Since 2019 this trend has reversed slightly, with the average number dropping to around 15, but the percentage of these that are critical has increased. A recent report from NTT (recently acquired by Synopsys) suggests that over 50% of applications have at least one critical vulnerability, and that the average time to fix a critical vulnerability is just shy of 200 days and climbing.
The second you start scanning, you are going to be faced with some uncomfortable truths. That application you have spent months/years developing… It’s got issues. Those issues are going to force you to make compromises on the technology, the experience and possibly even the goals you set out to achieve.
You may have built vulnerabilities in and may have inherited them using 3rd party libraries. You may also have done everything the “right” way and a new zero day popped up on the black market right before your release. You may even have become a victim of your own success, with enough users and user data to be a juicy target worthy of an attacker’s time and energy.
As an industry, we have reached a turning point where it’s no longer enough to prioritize security, or have security controls. Customers and vendors want proof. Companies have entire security teams focused on assessments for acquisitions. Standards are being raised to allow for approved security vendors to provide reports that can be shared with potential buyers.
Yet still, there is room for improvement.
What if application security wasn’t an unsaid requirement? What if application security wasn’t a conversation that has to be resolved by endless questionnaires and spreadsheets being emailed back and forth? Let’s dream big for a moment.
Imagine a future where the security of a web application was as openly available as the SSL certificate. Imagine this was a badge of honor, rather than a wall of shame; where companies display their security posture with pride, comfortable that they have taken every step to harden their defenses against incoming attacks, and put users’ minds at rest.
There are obstacles to this approach:
- Who can provide the certification?
- What if the standard changes?
- What are the risks of publishing your security posture?
- How do we store certificates in a way that is both trustworthy and tamperproof?
- How do we get overworked security and development teams to buy into yet another security standard?
So how do we get there?
Simply put, we start small. The security industry has been a sponsor and advocate for application security since websites became complex enough to be attacked. Organizations like OWASP have been championing processes, tools and training for years and are pushing on new standards to help companies since 2001. Companies have been doing their part, connecting companies with the brightest and best pentesters on the market.
The cybersecurity industry is on the right path to making application security a basic principle for every software development team on the planet. There are more tools now that there ever have been, right from the code repository to the application server.