Software applications are the weakest link when it comes to the security of the enterprise stack. In The State of Application Security, 2022, Forrester reports that the majority of external attacks occur either by exploiting a software vulnerability (35 percent) or through a web application (32 percent).
Source: Forrester: The State of Application Security 2022
As applications become more complex and software development timelines shrink, developers are under pressure to release new features as quickly as possible. As a result, developers rely more heavily on third-party libraries, particularly open source components, to achieve differentiated and compelling application functionality. This increase in open source components forces organizations to adjust their security practices. In addition, new frameworks like containers and APIs add to the complexity of application security.
With developers under pressure to continually release new features, organizations face the very real risk that security won’t keep up. One of the ways they can secure their software is by adopting application security best practices and integrating them into their software development life cycle.
To this end, here are the top ten application security best practices you should implement in your organization.
You can’t protect what you don’t know you have.
Do you know which servers you use for specific functions or apps? Do you know which open source components are in your various web apps? Do you know what dependencies these components have?
Don’t think tracking your assets is that important? Just ask Equifax, how important it is to remember which software is running in which application. In one of the most high-profile cases of its kind, the credit rating agency was hit with a $700 million fine for its failure to protect the data of over 145 million customers. Equifax suffered the security breach because it failed to patch the vulnerable Apache Struts open source component in one of its customer web portals. The company claimed it wasn’t aware that the vulnerable open source component was being used in the customer portal.
So, keeping track of your assets can prevent serious issues. The process should be automated as much as possible since it can feel like a Sisyphean task as organizations continue to scale their development.
In addition to tracking your assets, take the time to classify them, noting which ones are critical to your business functions and which are of lower importance. This comes in handy later for your threat assessment and remediation strategy.
Once you have a list of what needs protecting, you can begin to figure out what your threats are and how to mitigate them.
What are the paths that hackers could use to breach your application? Do you have existing security measures in place to detect or prevent an attack? Are more or different tools needed to protect yourself?
These are key questions you need to answer as part of your threat assessment. However, you also need to be realistic about expectations for how secure you can be. Be aware that even if you take the maximum level of protection available, nothing is ever unhackable. You also need to be honest about what kind of measures you think your team can maintain. Pushing for too much can lead to your security standards and practices being ignored. Remember that security is a marathon, not a sprint.
When judging your risk, use the basic formula: Risk = Probability of Attack x Impact of Attack.
Are you patching your operating systems with the latest versions? What about third-party software? If you’re lagging behind, then you’re exposed to risk.
Patching your software with updates either from commercial vendors or the open source community is one of the most important steps you can take to ensure the security of your software. When a vulnerability is responsibly discovered and reported to the owners of the product or project, it is then published on security advisories and databases like Mend Vulnerability Database for public consumption. Ideally, a fix is created and pushed out before publication, giving users the chance to secure their software.
If you don’t patch when one becomes available, you are not taking this important step toward better security.
Developers may be hesitant to upgrade to the latest version of the software if it could break your product, but automated tools can help tremendously here. Updating and patching should be at the top of your application security best practices list.
Containers have grown in popularity over the past few years as more organizations embrace the technology for its flexibility, which makes it easier to build, test, and deploy across various environments throughout the software development lifecycle (SDLC).
A significant security advantage of containers is that they have a self-contained OS environment. This means that they are segmented by design, thus lowering the risk to other applications. However, containers still face risks from exploits such as a breakout attack in which they do not remain siloed. Also, the code that’s stored within the container may itself be vulnerable.
To secure your container usage throughout the CI/CD pipeline, you should run automated scans for proprietary and open source vulnerabilities from start to finish, including in your registries.
Another application security best practice for working with containers is to use signatures. Make sure you sign your own images with tools like Docker Content Trust if you are using Docker Hub, or Shared Access Signature if your team is on Microsoft’s Azure.
Vulnerabilities have been on the rise in recent years, and this trend shows no sign of letting up anytime soon, so the need to remediate flaws has intensified. Given the scale of the task, it’s essential for teams to prioritize which components they should remediate to keep their applications secure.
Doing so requires performing a threat assessment based on the severity of a vulnerability (CVSS rating), how critical the impacted application is to your operations, and a variety of other factors. When it comes to open source vulnerabilities, you need to know whether your proprietary code is actually using the vulnerable functionality in the open source component. If the vulnerable component’s functionality does not receive calls from your product, it is ineffective and not a high risk even if its CVSS rating is critical.
A smart strategy is one that automatically prioritizes the most pressing threats first, taking into account the factors at play, and leaving the low-risk ones for later.
This one has been on the OWASP Top 10 for years, making encryption of your data at rest and in transit a must-have on any application security best practices list.
Failure to properly lock down your traffic can lead to the exposure of sensitive data through man-in-the-middle attacks and other forms of intrusion. If, for example, you are storing user IDs and passwords or other types of info that could put your customers at risk in plain text, then you are putting them at risk.
Your basic checklist encryption should include making sure you are using SSL with an up to date certificate. HTTPS has become the standard these days, so do not be left behind. Hashing is also a good idea.
Also, always remember to work with security products that have a dedicated team and the experience to do it right.
Not everyone in your organization needs to have access to everything. So, the next application security best practice is to limit access to applications and data to only those who need it.
The reason is twofold. First, suppose a hacker is able to gain access to a system using the credentials of a team member in one area of your business. In that case, you need to prevent the hacker from roaming into areas that handle other more sensitive data, such as finance or legal. Second is the concern over insider threats, whether unintentional — losing a laptop or attaching the wrong file to an email — or malicious. By managing privileges and adhering to the Principle of Least Privilege gives employees access to only the data they need, you can reduce your exposure to risk.
In recent years, developers have taken more ownership of application security, especially when it comes to tasks like vulnerability management. As security shifts left, developer teams are testing early and often, pushing as many of their security checks toward the beginning of the SDLC, when vulnerabilities are easier and less costly to fix. Given the sheer number of vulnerabilities, developers need automated tools to help them manage the unwieldy testing process.
For testing proprietary code during development, static application security testing (SAST) and dynamic application security testing (DAST) can help to find potential vulnerabilities. While SAST and DAST play an important role in closing security holes, proprietary code is a relatively small portion of your overall codebase.
Open source components generally comprise between 60-80% of your codebase in more than 92% of modern applications. This means securing open source components should be a top priority on your application security checklist. Software composition analysis tools (SCA) enable teams to run automated security checks and reporting throughout the SDLC, identify all of the open source components in their environment and detect which ones have known vulnerabilities that put your applications at risk.
By shifting your automated testing left for open source security issues, you can better manage your vulnerabilities.
While automated tools help you to catch the vast majority of security issues before a release, no application security best practices list is complete without penetration testing. Penetration testers comb through your code to find weak points in your apps. Good penetration testers know exactly what a determined hacker will try when breaking into your application.
You can hire professional hacking firms or use freelancers who work with bug bounty programs like HackerOne and BugCrowd to seek out vulnerabilities on their own for cash rewards. Despite the extra expenses of working with penetration testers, you are better off paying for these “white hat” hackers to try and break in, rather than face the consequences of a malicious breach in the wild.
This should be an easy one to secure, but it is surprising how many developers don’t properly secure their tokens for third-party services.
Unfortunately, you can easily find unsecured tokens online by searching through popular developer websites. Developers simply include the token details in their open source repos instead of storing them somewhere more secure.
Properly securing your third-party tokens should be imperative for application security. Simply don’t buy tokens and then leave them in your code just waiting to be taken.
Each of these application security best practices should be a part of your organization’s ongoing development process. The above list contains the vital steps that should be taken to minimize the risks to your company’s applications and data.
Staying ahead of hackers largely requires you to avoid the common mistakes that others are likely to make. While no perimeter or application security measures are ever fully hack-proof, following these best practices goes a long way toward making yourself a harder target to exploit than others, so they will turn their attention elsewhere and leave you and your data safe for another day.
Mend provides an application security platform that enables you to perform all these best practices as easily and seamlessly as possible to reduce enterprise application security risks. Simple to use and nearly invisible to developers, Mend’s technology improves AppSec outcomes without affecting development deadlines by integrating its application security tools and processes within your developers’ existing workflow.
Mend’s seamless integration is matched by its automated remediation and prioritization capabilities, and its limitless scalability. It finds and automatically fixes vulnerabilities, thereby radically reducing your attack surface, and developers’ security burden, and accelerating the delivery of applications. Its comprehensive security solution covers your entire code base, with Mend SAST (static application security testing) for custom code, Mend SCA (Software composition analysis) for open source, Mend Supply Chain Defender for malicious package detection and blocking, and Mend Renovate, its dependency update solution.
Mend has been recognized by Forrester as a leader in the SCA market. Mend’s mission is to give you confidence in your code and your applications, what we call CODEfidence — knowing that your applications and software are protected, and you can fix whatever comes your way.
So, when it comes to application security, how CODEfident are you?
The top ten application security best practices are:
1. Track Your Assets
2. Perform a Threat Assessment
3. Stay on Top of Your Patching
4. Manage Your Containers
5. Prioritize Your Remediation Ops
6. Encrypt, Encrypt, Encrypt
7. Manage Privileges
8. Embrace Automation for Your Vulnerability Management
9. Penetration Testing
10. Be Careful with Tokens
These best practices will help you ensure that you have the best possible strategy and tools in place to reinforce your application security. This combination of ten application security best practices provides the most comprehensive set of techniques to detect, identify, and remediate vulnerabilities as quickly and as easily as possible, so that you can reduce risk to your applications.
Each of these best practices help you improve your application security, but they are best employed together as part of a comprehensive and integrated approach to application security. Performing them in isolation or not as part of such an approach will render them less effective, and your application security may suffer as a result.