Responsibility for securing enterprise applications has been moving down the development lifecycle, and for good reason. It not only makes the enterprise more secure, but also saves companies time and money.
For example, the average time to fix a vulnerability in IBM’s application security solution has dropped from 20 hours to 30 minutes, according to a study Forrester Consulting released last month.
Also, finding bugs earlier rather than later in the development process resulted in a 90 percent cost savings, the study indicated.
Not My Job
If security at the application creation level is going to gain traction, however, it’s going to require a change in the attitude on the part of developers.
“Developers don’t inherently think about security — they’re paid to ship code,” said Rami Essaid, CEO of Distil Networks.
“We’ve been saying that developers should write good code for the last 20 years, yet nothing happens,” he told.
Moreover, even if an organization can get its developers to write more secure code, it’s still at the mercy of coders who are out of its control.
“We live in a much more complex software environment than ever before. A lot of open source tools are used. We’re using a lot of plug-in software. We’re using a lot of stuff that we don’t write the code for,” Essaid explained.
“You can’t say, ‘we’ll write better code and secure our borders,’ because you’re relying on a much bigger network than what you can write,” he pointed out.
Forging more secure code during the application development stage will be more attractive to code warriors if the tools they’re given to do it are easier to use.
For instance, tools that can use machine learning to ferret out defects and repair them without human intervention would lighten the load on developers who find security testing a chore.
“Developers should have something that checks code for security problems like spellcheck works in Microsoft Word,” suggested Chandra Rangan, vice president for marketing at HP Enterprise.
“When these machine learning systems are introduced, one of their first uses will be testing software,” said Amol Sarwate, director of vulnerability labs at Qualys.
“Slowly, as confidence in the systems increases, they will be deployed on software after it’s released to provide even more protection,” he told.
Spellcheck for Code
There are advantages to moving security practices closer to the beginning of the software development cycle. “The earlier you do it, the more effective you will be, and the cheaper it will be to produce the software,” HPE’s Rangan told TechNewsWorld.
By automating the checking of code security flaws, errors can be found in a timely way.
“If you’re finding problems when the software is already working, you’re going to have a hard time fixing them, because you’ve passed most of the lifecycle stages,” said Israel Barak, CISO of Cybereason.
“Going back to the drawing board is going to be extremely expensive,” he told.
While more secure coding will better protect applications from attack, it too has limitations.
“As long as you’ve got humans designing logic, writing software and building systems, you’re going to have vulnerabilities,” said Ram Mohan, chief technology officer at Afilias.
What’s more, vulnerability protection might not scale.
“Vulnerabilities you think you may have protected your software [against] at one scale may show problems when the scale is increased by an order of magnitude,” Mohan told.
“That’s coming with IOT,” he added.
Multiple Levels of Protection
Application security testing is a critical part of securing the enterprise, but it’s only one part of the solution.
“Security testing is part of a more complete process of the secure software development lifecycle,” said Cyberreason’s Barak.
The process must start with the application architecture and continue through the design, quality assurance and testing phase into the deployment phase, he added. However, security also needs to be applied to the infrastructure on which the application will be deployed.
“You can never cover all application vulnerabilities,” Barak said, “so you have to have a system in place to detect when abnormal usage of the application infrastructure is being performed.”