7 MIN. READ
Over the past four decades, software has evolved. Back in the days of the mainframe, users accessed centrally stored programs on large multi-user systems. In the 1990s, however, the typical application came on a plastic disc shrink-wrapped in a cardboard box and was installed locally and updated only infrequently.
In some ways, we have come full circle: applications are again increasingly delivered over a network, and application developers are increasingly more involved in operational roles and securing the apps they develop themselves. In this always-on, application-as-a-service world, software vulnerabilities can be quickly exploited and simple DDoS attacks can interrupt service.
For companies that develop their own applications, their programmers need to produce software as part of an end-to-end secure software development life cycle (SDLC). This means focusing on reducing the attack surface of software, eliminating vulnerabilities, and training developers to design and program more securely.
Applying access controls and core security principle
sAt the same time, companies also have to treat cloud applications as operational technology that needs to be managed securely. Because cloud applications are always connected, they can easily be targeted, which makes the timely identification and elimination of vulnerabilities critical. To keep ahead of threats, companies should deploy a vulnerability management process that identifies and triages vulnerabilities and can rapidly automate remediation with a web application firewall (WAF). A WAF is a critical web security control that can buy a company time by blocking an attack while the development team works to fix the code.
Beyond the typical vulnerability management discussion of app security, what else should you be considering? A starting point is with setting the right access control. The authentication, authorization, and accounting (AAA) framework is a critical guide for ensuring you require strong authentication by default, using capabilities like SSO and multifactor authentication. Additionally, authorizing users based on robust, role-based access control (RBAC) that includes at least three roles (e.g. unprivileged user, privileged user, and administrator) helps reduce unintended incidents. And, should an incident occur, ensuring that you log events appropriately will help you pull key details for resolution, such as whic account was used and which system it came from.