I recently had the pleasure of joining Marina Novikova, partner solutions architect from AWS in a webinar to discuss the key principles for building modern application security programs. We explored the big issues facing AppSec today, and why many companies are taking a new approach. As the world becomes increasingly application-driven, security can no longer be simply a box-ticking exercise for compliance purposes. It must do much more to ensure that software is delivered safely.
71% of IT and security leaders say their portfolios of applications have become more vulnerable to attack. We saw a 33% rise in the number of open source software vulnerabilities added to our vulnerability database in the first nine months of 2022 compared to the same period in 2021. Open source vulnerabilities more than doubled from 2018 to 2020, and software supply chain attacks are expected to triple by 2025. Nevertheless, as open source code is used in 70% to 90% of all applications today, applications face significant risks.
We have also seen a steady increase in the number of malicious packages. Data from Mend Supply Chain Defender shows a steady quarterly increase in malicious packages published in 2022, with a significant jump in Q3. At least ten are published each day to npm and RubyGems, showing that attackers are deploying new techniques to disrupt organizations’ applications.
As more development teams move to open source and as attackers become more sophisticated, traditional application security programs often prove ineffective, because they don’t keep up with today’s trends. Application security often conflicts with ever-accelerating development lifecycles, and as a third of global companies are expected to move more than 75% of their workloads into the cloud, the hits just keep coming. What’s needed is a new, modern AppSec approach that’s more nimble and ready to react.
The new approach: five key principles
At the core of a modern AppSec methodology are five key principles that will harden your security:
Preparation and planning to maximize visibility. You can only protect or fix what you know you have. Ensure you know the contents of your open source, and how it’s stored and used. Use a software bill of materials (SBOM) to do this. Continuously review and update this process to stay ahead of new vulnerabilities and attacks. Always know who has access to your code, software, and data, and be sure you regularly update components and dependencies. Moving to the Cloud can be beneficial because there are lots of great tools that cloud service providers offer to help you.
Don’t just shift left. Shift smart. Shifting left — performing security scans early — improves security, but don’t stop there. Shift smart. This means integrating vulnerability prioritization and remediation tools into your team’s development environments, inside your code repositories, your build servers, and bug-tracking tools to address potential risks as soon as they arise. By shifting smart, you put security in developers’ hands during development, and you make it easy and quick for them to fix their code.
Automate. Automating processes addresses the need for speed and detection, triage, and response, while easing the stress caused by the ongoing shortage of cybersecurity professionals. It saves time and reduces risk by ensuring all current versions are in use and deploying solutions that automatically detect and remediate vulnerabilities. Companies can make it easier to integrate application security into the software development lifecycle using tools such as Mend, especially if you’re using GitHub or other repositories because pull requests will automatically either bring you a less vulnerable version or take you to the latest version. With our Merge Confidence feature, we can give you a score that shows whether you’ll have minimal issues or no issues at all with any particular libraries or updates.
Apply good governance. Having a robust process and a good cybersecurity incident response plan is vital, but many organizations neither have them in place nor apply them consistently. Also, it’s important to regularly review and test processes, to improve visibility and applications, assess data and rapidly update vulnerabilities and patches. Create playbooks and run drills to ensure you can address the newest vulnerabilities and threats.
Change the culture. Inculcate a security mentality throughout your teams, your SDLC, and your organization. Security is a collective effort. Goals must be aligned between security and DevOps teams. Best practices must be applied by all, but make sure they don’t become so onerous that they’re ignored or avoided altogether. Listen to your teams’ needs and concerns to find ways to integrate and automate the process so that they readily adopt security best practice. Appoint security champions on each team. They can spearhead best practice at every point in the SDLC, build trust in the process, and improve the often fraught relationship between security and development teams.
The ingredients for success
Applying these principles will harden your application security posture. This is critical now that organizations increasingly rely on apps to drive their businesses. As apps proliferate, the attack surface expands, and they become an increasingly attractive target for smart attackers. You need to ensure that your application security can keep pace with them. These principles form the foundation for modern AppSec strategies, making them nimble enough to adjust to changing conditions and handle a constantly evolving threat landscape.
Chris Lindsey is a Senior Solutions Architect at Mend.io. He has thirty years of experience leading teams in programming and software, solutions, and security architecture. For three years, he built and led an entire application security program that includes the implementation of mature AppSec programs, including oversight of security processes and procedures, SAST, DAST, CSA/OSA, compliance, training, developer communication, code reviews, application inventory gathering, and risk analysis.