Jul 24, 2014
When it comes to application security, your organisation has two main considerations: the applications you develop, and the applications you use. If vulnerabilities in either are exploited, both have the capacity to compromise your company’s data.So today I’m looking at 4 steps you can take to keep your application security simple, but effective.
1) Assess Your Current Security Situation
Before you can improve your application security, you need a good understanding of your current security situation.As a first step you should identify all applications being used on devices connected to your organisation’s network – including employees’ personal devices which get connected to your network.You also want to measure the security of your software development lifecycle. Does it adhere to security best practices, or are you cutting corners to minimise delays and keep costs down?Once you have a good understanding of your company’s current state of application security, you will be able to prioritise areas where it is most critical for you to make improvements.
2) Set S.M.A.R.T. Targets
Once you’ve identified areas for improvement, you need to set targets to aim for, against which you can measure your progress. These should be Specific, Measurable, Attainable, Realistic and Timely (S.M.A.R.T.), to bring structure and accountability to your goals.For example, rather than aiming to “improve application security”, you would aim to “reduce the number of critical vulnerabilities in application X by 10% over the next three months”.The first target your company needs to aim for is achieving regulatory compliance, but that should be the minimum standard you aim to exceed, rather than the heights you aspire to. Regulatory bodies always lag behind cyber criminals as they are traditionally slow to react to the latest security threats and vulnerabilities. Therefore, you will be better served by aspiring to industry best practices, for example the OWASP Top 10 guidelines.
3) Make Sure Third-Party Apps are Secure
Shadow IT (the use of unauthorised applications within an organisation’s IT network) is a growing concern for companies, as it creates security blind spots.It most commonly manifests when employees install applications on their devices without making the IT department aware. This can create vulnerabilities through which data breaches can occur, which will affect the whole of your organisation’s network.All applications on your network can pose a risk to your company’s security. Therefore, you need to make sure that they’re all as secure as possible by:
- Only using software that’s still regularly updated, supported and patched by the vendor
- When choosing new software, making sure it follows best practices such as SSL encryption and robust permissions systems
- Testing new apps for common security weaknesses
- Notifying IT when installing new applications, so they are kept up to date, and to reduce the risk posed by shadow IT
- Roll-out security awareness training across the whole company, to educate employees on the risks of poor security practices
4) Secure all Stages of the Software Development Lifecycle
To improve the security of the applications your organisation develops, you need to make security an integral part of the software development lifecycle (SDLC), from planning right through to maintenance after implementation.There are several good practices you can bring in, such as educating your developers in defensive coding, introducing pair programming, and teaching your security team how to properly use code analysis tools during the testing phase, to identify vulnerabilities and bugs your developers may have missed during their code reviews.This can be a source of competitive advantage, if your company becomes known for its high security standards, and is the single most important step you can take to improve your application security.