Quick Wins for Application Security

There are two major things your organisation can do to improve its application security: improve the security of applications you use, and improve the security of applications you develop.

Today, I’m looking at six actionable ways your organisation can improve both aspects of your application security.

1) Assess the Security of New Software

New software can have massive implications for your organisation; as well as affecting your team’s productivity and efficiency, it will also impact the security of your organisation’s critical data. To minimise the risk to your data and your organisation, it’s imperative that you choose software that follows security best practices such as:

  • SSL encryption
  • Compliance with industry security standards
  • Robust password and permissions systems

2) Check That Software is Still Supported

When software gets outdated it quickly becomes vulnerable to attack. Therefore, for all software that your organisation uses, it’s important to make sure that the version you're using is still regularly updated, supported and patched by the vendor. If you find out that the software version you’re using is no longer supported, you should update to the current version, and install all relevant security patches as recommended by the vendor.

3) Inventory Authorised and Unauthorised Software

Shadow IT (the use of unauthorised applications that exist within an organisation’s wider IT network) is a growing security concern. It most commonly manifests when employees install their preferred software applications onto a device connected to an organisation’s network and use them without making the IT department aware.Insecure applications will create vulnerabilities through which data breaches can occur and introduce security blind spots – parts of your organisation’s network that are operating outside the knowledge of your IT team. Therefore it’s vital that you keep track of approved software being used by your organisation (so you can keep it updated), and wherever possible, identify instances of unauthorised software being used by your employees - to minimise the risks associated with shadow IT.

4) Deploy Web Application Firewalls

Web application firewalls (WAFs) inspect all traffic flowing to web applications for common attacks, such as cross-site scripting, SQL injection, and command injection. A 2014 study by Positive Technologies found that only one out of 40 applications they examined had a web application firewall, despite WAFs being able to detect many of the application vulnerabilities their study identified as being most common. Deploying a WAF will protect web applications against common attacks, and help to safeguard the sensitive data they contain.

5) Implement Peer Review

When developing applications, frequent code reviews will help to identify software vulnerabilities as early as possible during the development process. This is the best way to reduce the damage and costs associated with software vulnerabilities.Many organisations choose to implement an ongoing peer review process known as pair programming – where two programmers regularly review each other’s code as they work. Pair programming is a quick and effective way to check the security of both developers’ code during the development process.

6) Secure the Software Development Lifecycle

Whilst estimates on the time and cost to fix vulnerabilities vary slightly, all research confirms that the cost to fix software vulnerabilities grows exponentially as you progress through the software development lifecycle (SDLC).The sooner a problem can be detected, the cheaper it is to fix, so a rigorous testing procedure throughout the SDLC reduces the likelihood of critical vulnerabilities making it into the finished application. Securing the SDLC requires a change in practices across your whole development team – and while not technically a quick win, is the single best way to improve your application security.

Get Switched on

Subscribe to our newsletter to keep ahead in the industry, and be the first to access new reports and white papers.