National Harbor, Md. — While many businesses are paying attention to application security, Gartner analyst Ramon Krikken believes crafting effective application security programs continues to be a significant challenge for enterprises.
But with threat actors increasingly targeting applications, it is imperative for organizations to recognize the importance of an application security strategy. But many organizations still don’t have formal application security programs in place, Krikken told attendees during a session at the Gartner Security & Risk Management Summit.
And for those that do, only 38% believe their current application security programs cover 76% to 99% of their apps and 25% said their current program only covers 1% to 25% of their apps, Krikken said, citing data from a recent survey from application management vendor Micro Focus.
“We’re worried about how security is struggling to keep up with still weak application security, both in the legacy world and in this emerging world of DevOps, and things like containers, microservices,” he said.
To highlight the importance of application security, Krikken cited several data points, including 90% of active applications that have a known CVE score and 92% of external web applications that have exploitable security flaws or weaknesses.
“In essence, it is still very easy, unfortunately, for somebody out there to just launch a scan, go look at a bunch of applications and find at least one issue that they can take advantage of to do something bad to the application,” he said.
When compared to other areas like identity and access management, the application security discipline is fairly new in cybersecurity, Joseph Feiman, chief strategy officer at WhiteHat Security told SearchSecurity.
While adoption of application security technology is growing, which he said is a positive sign, there is still “need for huge progress” in the area. Budget is also a reason for the slow adoption of application security technologies within an enterprise, Feiman added.
“Traditionally, their security budget is spread entirely between identity and access management, network security and endpoint protection,” he said. “Because those disciplines have been in the market for the last 40 to 60 years, their mentality is open towards those. They still need to make this leap forward and understand that … [application security] technology serves the purpose to protect the most important asset, which is an application.”
DevOps and application security programs
While there is a lot of excitement over DevOps today, Krikken said not every company operates like Netflix and deploys codes thousands of times every day.
According to a Micro Focus survey, 35% organizations said they have implemented DevOps but still have a long way to go; on average they deploys code three times a week.
“That’s actually pretty good news for [security professionals] in the sense that as security is still trying to develop all these application security processes that work with and also inside the DevOps pipeline, we still have a little bit of time to say, ‘We can get started by getting the tooling and the processes right, and then on an ongoing basis, we can worry about things like speed,'” Krikken said.
But security professionals should adapt their security testing tools and processes to that of the developers’ environment, Krikken advised.
To get the best results, Feiman said, application security has to be built in the entire lifecycle of an application.
“It means that from the very moment, we start writing the first line of your code, you should be testing it for security and vulnerability in the code, and then when you build your application … you have to test it before you deploy it,” he said. “Even after it’s deployed, you have to keep testing it until the end of an application’s lifecycle.”
Developers are also a lot farther ahead when it comes to adoption of agile software development and DevOps, he said, compared to where an organization’s security processes are.
According to the 2018 State of DevOps Report from Puppet and Splunk, only 39% of the security teams are involved in decisions that fundamentally influence how an organization’s application architecture and their data architecture look. This is because DevSecOps is relatively difficult to put into practice, Krikken said.
While it’s important to train developers on the basics of secure coding, he said, an attempt to expect them to understand everything about application security is futile.
Feiman agreed and said attempts to make developers application security experts have failed and will fail.
Krikken suggested adopting a security champion model where security professionals essentially try to make security easier for the developers. It also helps in speeding up the security testing process, he added.
“The idea of having a security champion is [appointing] somebody who will work with the development team,” Krikken said. “Often, they’re actually developers who know about security, to help a project move along and say, ‘Here are the things you should worry about when you start the project; here’s the array of risks and vulnerabilities that we’re going to consider when we’re building this application,’ which turns out to be incredibly helpful.”
Security practitioners should strive to make security invisible, or easy, or understandable, he said, because that is the “only way that we can make application security go fast.”