Always-on, 24/7 applications mean constant exposure to threats like never before since the advent of the internet. For companies that develop their own applications, their programmers need to produce software as part of an end-to-end secure software development life cycle (SDLC). This means focusing on reducing the attack surface of software, eliminating vulnerabilities, and training developers to design and program more securely. Here's how to ensure the availability, integrity, and confidentiality of your apps.
7 MIN. READ
Over the past four decades, software has evolved. Back in the days of the mainframe, users accessed centrally stored programs on large multi-user systems. In the 1990s, however, the typical application came on a plastic disc shrink-wrapped in a cardboard box and was installed locally and updated only infrequently.
In some ways, we have come full circle: applications are again increasingly delivered over a network, and application developers are increasingly more involved in operational roles and securing the apps they develop themselves. In this always-on, application-as-a-service world, software vulnerabilities can be quickly exploited and simple DDoS attacks can interrupt service.
For companies that develop their own applications, their programmers need to produce software as part of an end-to-end secure software development life cycle (SDLC). This means focusing on reducing the attack surface of software, eliminating vulnerabilities, and training developers to design and program more securely.
sAt the same time, companies also have to treat cloud applications as operational technology that needs to be managed securely. Because cloud applications are always connected, they can easily be targeted, which makes the timely identification and elimination of vulnerabilities critical. To keep ahead of threats, companies should deploy a vulnerability management process that identifies and triages vulnerabilities and can rapidly automate remediation with a web application firewall (WAF). A WAF is a critical web security control that can buy a company time by blocking an attack while the development team works to fix the code.
Beyond the typical vulnerability management discussion of app security, what else should you be considering? A starting point is with setting the right access control. The authentication, authorization, and accounting (AAA) framework is a critical guide for ensuring you require strong authentication by default, using capabilities like SSO and multifactor authentication. Additionally, authorizing users based on robust, role-based access control (RBAC) that includes at least three roles (e.g. unprivileged user, privileged user, and administrator) helps reduce unintended incidents. And, should an incident occur, ensuring that you log events appropriately will help you pull key details for resolution, such as whic account was used and which system it came from.
In this always-on world, software vulnerabilities can be quickly exploited.
In tandem with the AAA framework, looking at app security through the lens of the CIA security principles—confidentiality, integrity, and availability—can highlight additional steps that companies should take to protect their applications and keep services running.
With workers’ increasing reliance on cloud applications, the availability of cloud services has become critical to business operations. Once only a nuisance, DDoS attacks are now far more able to disrupt business operations.
Keeping the digital doors open is a company’s first order of business. Keeping out the bad guys is the second. Development and operations teams need to create secure foundations for access to all their applications and data as discussed in AAA above. They also need to manage change control so unintended changes don’t cause the app to perform in ways that impact the integrity of the data.
Data confidentiality needs to be addressed at collection, transport, and rest whether that’s in the cloud or on premises in your data center. Vulnerability management, including a WAF, are the primary controls you should have in place to prevent an application exploit from compromising your app and the confidentiality of the data in it. These days, there is no reason not to use TLS technology to encrypt communications between the user and the web application server. Data kept in the cloud or on premises should also be fully encrypted to prevent unauthorized access.
Preston Hogue is the Sr. Director of Security Marketing at F5 Networks. Preston is responsible for global security campaigns, evangelism and thought leadership, including oversight of the F5 Labs application threat intelligence team. Preston has over 20 years’ experience in information security including developing, implementing and managing complex security programs, architecting risk analysis and management, and implementing programs to address regulatory and compliance requirements.