Meticulous Prep and Planning–A Linchpin of Modern AppSec Programs
This is the second of a six-part blog series that highlights findings from a new Mend white paper, Five Principles of Modern Application Security Programs. Be sure to look out for our upcoming blogs on each of the five principles.
It’s no exaggeration to say that IT and application security teams from all organizations are facing a perfect storm. While many had started down the path of digital transformation before the COVID pandemic began, they were soon forced to accelerate digital transformation timelines in order to keep remote employees connected, provide the goods and services needed by customers, and build and maintain relationships with partners, vendors and other organizations vital to their success.
But in doing so, they also increased their dependence upon applications to the extent that organizations today now have an average of almost 1,000 discrete applications – an increase of 13 percent from last year. Meanwhile, cyberattackers have ramped up their efforts to take advantage of weaknesses in application security (AppSec) strategies, which is clearly evidenced by increasing attacks against open-source software (OSS) and the software supply chain.
As companies grapple with the cost of cybercrime — loss of data, money, reputation, and customer trust, to name just a few — it’s vital to understand five key principles of modern application security that enable companies to respond quickly to threats and minimize damage, while also continuing to operate even while under attack. Let’s take a look at the first principle:
Principle #1: Meticulous prep and planning
It might seem obvious, but the reality is that attackers would be much less successful in their endeavors if they had less to attack. Unfortunately, many organizations are still woefully unprepared for attacks that target applications. In 2021 alone, organizations faced an average of 270 attacks, and more than half of organizations experienced a data breach.
Therefore, the first role of the application security team should be to reduce the attack surface, and that requires a granular level of detail into both the application development environment and the applications themselves. However, software and applications are composed of increasingly complex relationships between multiple components and dependencies, all of which must be safeguarded. You can’t protect components and dependencies, or detect and fix their vulnerabilities, if you don’t know where they are and what they are. And that’s where the prep and planning comes into play.
Practically speaking, AppSec teams can take a number of steps to prevent attacks by doing the upfront work on the following:
- Gain a thorough understanding of your application operating environment, with special emphasis placed on applications that communicate via the internet
- Build a detailed inventory of your software, including what’s in it, the level of risk it carries, whether licenses are compliant, and whether the application has a software bill of materials (SBOM)
- Understand the potential impact that every application has on your organization, including the sensitive data the application interacts with, application dependencies, and possible vulnerabilities
Learn more about what IT and security teams can do to prevent application attacks by downloading a copy of Five Principles of Modern Application Security Programs.
