Five ways to ensure your applications are cyber resilient

The massive shift to remote work caused by the COVID-19 pandemic has heightened the need for resilient application security practices in many organizations.

In addition to dealing with the volume and frequency of application releases these days, application security teams now have to deal with challenges associated with working remotely and checking in code from all over the world.

With applications being released into production on a weekly, daily, or even hourly basis, the “seconds” in DevSecOps have truly never been more relevant or important. It’s time to ensure your approach to application security is cyber resilient. Here are five areas to focus on.

1. Automation

Automation is critical to cyber resilience. You need to leverage tools that make your application security solution as touchless and process-driven as possible. Ideally, anything that can be automated should be automated, and a resilient system will allow for that. In fact, a resilient system will not only allow it, but drive automation.

Imagine a future environment where if you suddenly need to scan 1,000 applications, you can automatically increase the number of scanners needed to handle that volume. If the volume changes and you no longer need as many scanners, your system is smart enough to account for this and automatically reduce the number.

In a really resilient system, automation will allow developers to write and commit code, and scanning will just happen. You shouldn't have to do anything. The system will automatically remove things that you can't fix, things that are not important in your environment, or your KPIs and things of that nature. It's almost like you press the gas pedal of a car. There's a lot going on, but you don't need to know anything about the engine other than what it does. It's pretty powerful.

Ultimately, the goal should be to have code that self-heals like a spell checker. We’re not there yet, but one day there will be enough intelligence that you can trust the system to fix problems on its own.

2. Have actionable results

Your application security program should be focused on driving actionable results from your testing. It should be centered around the things you need to focus on today. Historically, application security solutions have tended to give you a checklist of problems to solve when all you really need is a list of issues that are relevant to the organization and to you.

A resilient system will focus on the 10 things you need to solve today, not the 1,000 things you might need to solve over time. It uses intelligence to identify issues that could impact or prevent you from going into production.

Actionability is part of automation. It means that a developer can write some code and behind the scenes the code is evaluated and shows what is relevant and needs to be fixed as quickly as possible. It's like going from a horse and buggy to a Tesla.

3.Support more frequent scanning

Your ability to release code securely into production, and the speed of telemetry, depends heavily on how often you can scan your applications. You need elasticity in application security as you have more applications and you are scanning them more frequently. This puts a lot of pressure on application security teams, developers, and CISOs.

Elastic systems support scalable scanning capacity, from 1 scan to 1+n scans. While scalability is related to the number of scanners and the number of applications you have, frequency in an elastic system is related to how often you scan those applications.

For example, if you use GitHub and you scan or commit 20 times a day, you need to have a system that is resilient enough to handle that frequency. It's about having burst capabilities to turn on more scans when a threshold is reached without having to call someone or go find another product. You just spin up another container in Docker, for example, and you're done.

4. Wide coverage

Modern web applications are very much driven by web services, and the more web services and APIs you have, the more risk your application has. Resilience is about having an application security solution that not only addresses what you are doing today, but also has the flexibility and scalability to address future challenges.

Your solution needs to be cloud-agnostic and have the flexibility to cover both on-premises and SaaS environments. It should be able to quickly support new languages ​​and frameworks. Breadth of coverage means supporting the full range of languages ​​your business needs to scan now and in the future. Most businesses don’t just have .NET or Java, they have dozens of languages.

If you start as a .NET shop and you have static analysis capabilities for .NET, if a new team comes in or another company is acquired, do you have the ability to support Java? Or do you need to go out and buy a whole new set of products? A resilient application security system will be able to scan these new applications, and you can simply decide which model you want to leverage, from SaaS or on-premises to hybrid.

5. Make sure it’s scalable

In an elastic system, you don't need to add infrastructure to get more scanning capabilities. Your system will be cloud-agnostic, with the ability to spin up scan servers on demand and just as easily shut them down when you don't need them. In just minutes, you can go from needing additional capacity to scan more applications to just turning on the additional capacity.

Licensing flexibility is critical to scalability. It needs to be flexible enough so that you don't have to buy another license every time you need additional capacity for static or dynamic testing. Your license should allow you to move back and forth based on your needs and scan capacity.

Why Cyber ​​Resilience is Key

The latest edition of Verizon’s annual Data Breach Investigations Report shows that web application vulnerabilities are a top target for cybercriminals. About 40% of the data breaches Verizon investigated in 2019 actually involved application vulnerabilities.

It’s clear: A strong application security program is critical to enterprise cyber resilience. Follow the guidance above to transform your approach.

Keep learning

• The future is security as code. Learn how DevSecOps can help you get there with the TechBeacon guide. Also: See the SANS DevSecOps Survey Report for key insights for practitioners.
• Get a quick overview of the state of application security testing with TechBeacon’s guide. Plus: Get Gartner’s 2021 Magic Quadrant for AST.
• Get to know the application security tools landscape with TechBeacon’s 2021 Guide to Application Security Tools.
• Download your free copy of The Forrester Wave on Static Application Security Testing. Plus: Learn how the SAST-DAST combination can improve your security in this webinar.
• Learn five reasons why API security requires access management.
• Learn how to build an application security strategy for the next decade and take a look at a day in the life of an application security developer.
• Build a modern application security foundation with TechBeacon guidance.