![[Jcount.com]](https://www.jcount.com/wp-content/uploads/2014/08/jcount150X50.png)
![[Jcount.com]](https://www.jcount.com/wp-content/uploads/2014/08/jcountstartupslogo1.png)
Most, if not all, software has bugs. While many of these bugs may have little or no impact on the operation of the software, some may affect the functionality or even the security of an application. If these bugs can be used by an attacker to take advantage of the application, they are considered exploitable vulnerabilities. The number of vulnerabilities in software is growing rapidly. This is caused by a number of different factors, including the rush to get software to production and a lack of widespread security training by developers.
These same factors make application security a significant challenge for development teams since they are expected to identify and correct potential flaws without negatively impacting time to market. As a result, these teams often address security issues by deploying large numbers of security solutions in parallel in the hope that the sheer number of security solutions will catch any existing vulnerabilities. However, the current state of application security demonstrates that this approach is not always effective.
The Importance of Application Security
Application security is of vital importance since every vulnerability in production software can put the user at risk and can cost the organization a significant amount of money. In 2018, over 22,000 new vulnerabilities were discovered and reported in publicly available production software. The true number of vulnerabilities in software is likely much higher due to the fact that many may not have been discovered and that cyber threat actors may hoard high-impact vulnerabilities for use in future attacks.
The sheer number of vulnerabilities in production software provides cybercriminals with a wide range of possible options for exploitation. As a result, 90% of organizations in a recent survey report that they have been the victim of a data breach caused by poor application security. Almost as many (88%) report attacks at the application lvel throughout the year. As long as exploitable vulnerabilities reach production, these organizations will continue to be victims of these types of attacks.
Challenges of Application Security
The impacts of poor application security are well-known to development teams. However, the need for application security is often at odds with other major criteria by which developers’ performance is evaluated. In the age of DevOps, time to product is a primary criterion for determining the success of a developer, and anything that negatively impacts this, including security, is often considered to be less important.
As a result, development teams are largely taking a piecemeal and ineffective approach to security during software development. Many software developers do not have security training, making it more difficult to identify potentially exploitable errors in their code. While security training for developers is available, it costs the organization money and takes away time from actual development.
As a result, development teams are expected to secure their products with a limited understanding of security. This is accomplished by taking a “quantity over quality” approach to security tools. Development teams deploy a wide range of security solutions but do not take steps to ensure that the tools are interoperable or deployed to best advantage. As a result, security vulnerabilities slip through the cracks and threaten the security of the software’s users.
The lack of understanding of security also causes development teams to make decisions based upon a lack of information or false data. For example, open-source components are often considered to be more secure since they can be publicly reviewed for vulnerabilities. However, this does not guarantee that this review has ever occurred. Many development teams integrate open-source components into their code without any security assessment, causing them to inherit new vulnerabilities from their supply chain.
Securing Web Applications
The ideal solution to the application security challenge is to train developers to understand and recognize common security threats and provide them with the time and resources to perform comprehensive assessments of their products and identify any issues. However, the focus on time to product means that this solution is unlikely to be implemented on a wide scale.
Development practices that implement effective security and decrease the incidence of application vulnerabilities requires an integrated and intelligent approach to security. While extremely effective security solutions are available to development teams, a development team can use them to greatest impact only if they choose the right tool for the job and deploy it to best advantage.
For example, web application firewalls (WAFs) and runtime application self-protection (RASP) are both extremely effective at protecting web applications against common types of attacks. While either or both can be used in many contexts, making the right choice has a significant impact on security and the cost to the organization. A WAF is designed to protect web applications at the network boundary and is designed to learn how an organization’s web presence works as a whole and to protect it appropriately. RASP, on the other hand, provides extremely specialized and in-depth protection to a single application, which is useful for applications interacting directly with users or processing sensitive or valuable data.
The effectiveness of security solutions is also diminished if they are not properly integrated with one another. Monitoring feeds, logs, and dashboards from a variety of security products gives a security team a fragmented view of the network and slows response time to potential threats. When designing security for development, it is important to ensure that solutions integrate well to provide maximum protection.
