Jul 03, 2014
So you're concerned about your organisation's application security, and want to get started on a plan to secure them. The question is, where do you begin? Do you hire a company to do some penetration tests? Hire a security professional? Train your developers on secure development best practices? Purchase software and hardware to protect your systems and applications? The answer is all of them, but in today's post I explain how to go about prioritising everything that needs to be done, to get your organisation moving in the right direction.
1. Execute a Penetration Test
If your organisation is new to application security, one of the first things to have done is a general penetration test. Hire a company to try and break into your companies systems however they can. The results of this initial penetration test will provide you with lots of immediate action items that need resolving.Lots of the fixes uncovered by this initial penetration test will likely be quite simple to resolve if you've never done one before, and so offer a great instant return in terms of risk reduction. The more challenging action items can then be worked on over time. Focus on the big quick wins first.
2. Employ Additional Layers of Protection
Once you know where your key weaknesses lie, it's time to implement some additional layers of protection. This can be anything from DDOS attack mitigation hardware and software, through to advanced firewalls and anti-virus software.The exact nature of the software and hardware your company should use to protect its applications will vary depending on their nature, and the consequences of them being compromised. At the miminum, most companies should be employing anti-virus and firewall defences.It's important that these layers of protection aren't seen as a way to "make up" for insecure applications, however, which leads us onto point three...
3. Start Training Your Developers
Once you've run your initial penetration test, resolved the "easy fixes" and implemented some additional layers of protection, it's important to begin focusing on the root cause of most application security weaknesses: the developers building the applications. You can't rely on your developers to train themselves. They need to be trained, even if just in minimum best practices initially.Developers that are more aware of the biggest security risks in the applications they build, and how to minimise them will build applications that contain less vulnerabilities. Vulnerabilities that make it into your final applications are 30x as expensive to resolve than those identified during the design stage.The importance of training cannot be understated.
4. Maintain Security Standards
As developers become more security aware, it's important that you maintain high security standards within your development teams. Don't let quality slip. The most secure organisations develop their own secure processes for software development, and also use real-time reference guides like TeamMentor, full of best practices for the languages your developers program in.
5. Never Stop Improving
It's important that you never stop working on application security within your organisation. It can always be improved, and all aspects of security are a continuous process. New developers will need training when they join your organisation, and existing developers need ongoing training so that they are aware of the latest threats your organisation faces.Whilst there are many additional steps your organisation can take to improve the security of its applications, from attack simulation through to threat modelling and managed application security testing, every organisation needs to start somewhere. By following the steps above alone, you'll be ahead of many organisations, and have a base in place which you can build upon over time.Have any advice of your own for organisations just getting started with securing their applications? Share them in the comments below.