This year’s RSA Conference was full of the latest and greatest tools and tips for improving information security in the enterprise. I specifically sought out topics related to application security and the sessions didn’t disappoint. It was nice to hear about emerging tools as well as the importance of not ignoring the basics. The latter is something that I have been evangelizing for decades and it’s good to see that it’s finally getting traction, especially in the application security space.
I gleaned the following notes from the application security-focused sessions at this year’s RSA Conference.
- Given the growing complexity in terms of interconnectedness with the cloud, security teams are not positioned to keep up with code-related demands. The discovery of vulnerabilities needs to continue shifting left/upstream so that developers can be a part of the solution earlier on.
- A focal point that has been largely ignored up to this point is the developer experience as it relates to them doing their part in testing for application security vulnerabilities. Quality of results and the minimization of false positives are critical for finding the best application vulnerabilities in the shortest amount of time. All parties involved, especially developers, simply don’t have the time required for traditional distractions involving these areas. Tools and processes should integrate into how developers work (wherever that may be) and allow for quick testing with easily consumable results. It can be especially problematic when developers are at the mercy of someone else running the tools for them when delays are involved.
- We can secure only the things that we know about and understand. There are still so many APIs that do not fall under the umbrella of traditional vulnerability and penetration testing. Many APIs are unaccounted for and ignored altogether when it comes to security oversight. Or the assumption is that someone else is taking care of the security of these application environments, i.e. via a SOC audit, which can be a very dangerous approach.
- Not every application deserves the same level of attention and scrutiny. There are usually multiple applications with different risk profiles and tolerances. Challenges start when all applications rely on the same shared infrastructure. A large portion of application environments are now cloud native. The infrastructure might be suitable for some lower priority applications but could be wide open for exposures and attacks unsuitable for business-critical applications. There needs to be a better focus on further defining what business-critical means. Businesses need to be careful when excluding HR, financial, and CRM applications from existing security efforts.
- As pervasive and seemingly mature as they are, most components that make up what we refer to as application security are still in their infancy. The challenges around application security are growing exponentially due in part to the fact that web applications are one of the main targets of criminal hackers (from the 2022 Verizon Data Breach Investigations Report).
- There are many opportunities to build stronger security programs especially as it relates to basic security controls, threat modeling, and a focus on safety and resilience. One area where such changes can be implemented is with application security standards. The minimum standards need to improve over time. Improvements involving application (and API) visibility and metrics can help tremendously.
- In many organizations, the focus has shifted from application security to product security. This necessitates involvement from all sides including traditional application security staff, DevSecOps staff, and cloud security staff.
- In application security, there’s always the option of doing nothing with the threats, vulnerabilities, and risks that have been identified. Still, it pays to understand the outcomes associated with doing nothing such as system outages, data breach notifications, compliance challenges and project delays.
- It’s absolutely necessary to ensure that information security is everyone’s responsibility. This requires psychological concepts involving changing mindsets and behaviors, culture shifts and so on. Security professionals and executives alike are responsible for outreach and partnership with everyone involved to do things such as properly set expectations, reward good behaviors when they see them, and provide the necessary training and tools.
9.5) There was a good bit of talk at the conference about protecting data in the cloud. Even though the presentations were focused on specific endpoint and related technologies, one thing that’s worth noting is that these cloud environments have applications that introduce vulnerabilities. With all the technology silos, data scattered about in the cloud, and inconsistent security controls, it’s an entire ecosystem of potential weaknesses. Make sure that you – or someone – is keeping an eye on these applications and their vulnerabilities.
If you missed this year’s RSA Conference but still want to experience it and learn more, you can register for an on-demand pass and access many of the resources. Either way, don’t let of the hype surrounding conferences such as this one distract you from focusing on what’s important. The headlines and stories coming out of the RSA Conference will certainly fizzle in the coming weeks and months but that doesn’t mean you should stop getting better.
Relentless incrementalism – the act of doing something/anything every single day to make improvements – is the key to longer-term application security success. Based on what I’m seeing in my work, improving just one or two of these areas of application security can produce tremendous payoffs in terms of overall risk mitigation. Take one or two of the above items – or the whole list if you can handle it all – and make them your focal points for the coming year. Even if you simply make small tweaks here and there, you’ll no doubt enhance your program and not end up an application security statistic like so many businesses have to this point.
Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 34 years in IT and 28 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that are creating a false sense of security. He has written 12 books on security including the best-selling Hacking For Dummies (currently in its 7th edition) and The Practical Guide to HIPAA Privacy and Security Compliance (currently in its 2nd edition). Kevin has written over 1,300 articles on security and regularly contributes to various TechTarget sites including SearchSecurity.com. He has a bachelor’s in Computer Engineering Technology from Southern College of Technology and a master’s in Management of Technology from Georgia Tech.