Courtesy of Smit Shah - https://www.linkedin.com/in/smitshah0
Best Application Security Practices
https://resources.whitesourcesoftware.com/blog-whitesource/application-security-best-practices
Overview
Web applications are continually growing more advanced with developers under pressure to release updates and new features as quickly as possible in order to stay competitive. With this increased demand and shortened development timeline, it is still important to make sure the security behind these applications keeps up with the developments. This can be achieved by adopting application security best practices and integrating them into their software development life cycle.
Key Points
Ten major best practices that can help with security integration practices are:
Tracking Your Assets
It is important to have an understanding of what function your system’s pieces are being used for. This will give you a list of what needs protecting.
Perform a Threat Assessment
Once you have a general idea of what needs protecting, it’s important to prioritize the risk of each asset. This can be done using the risk formula, Risk = Probability of Attack x Impact of Attack. It is impossible to make something 100 percent secure, so it is important to use the risk numbers to make sure you focus on the most crucial threats.
Stay on Top of Your Patching
Patching your software with updates is one of the most important steps you can take to ensure the security of your software. Patches typically address found vulnerabilities and secure the software, but if you don’t update the software publicly known vulnerabilities will be in your system.
Manage Your Containers
Containers are generally believed to have security advantages given their self-contained OS environment, they are segmented by design, thus lowering the risk level to other applications. However, containers still face risks from exploits such as a breakout attack where the isolation is broken. To secure your container usage throughout the CI/CD pipeline, you should run automated scans for proprietary and open-source vulnerabilities from start to finish, including in your registries.
Prioritize Your Remediation Ops
With vulnerabilities on the rise, it is important to prioritize them for developers given the scale of the task at hand. Doing so requires performing a threat assessment based on the severity of a vulnerability (CVSS rating), how critical the impacted application is to your operations, and a variety of other factors. A smart strategy is one that automatically prioritizes the most pressing threats first, taking into account the factors at play, and leaving the low-risk ones for later.
Encrypt, Encrypt, Encrypt
Failure to properly lock down your traffic can lead to the exposure of sensitive data through man-in-the-middle attacks and other forms of intrusion. Your basic checklist encryption should include making sure you are using SSL with an up-to-date certificate. HTTPS has become the standard these days, so do not be left behind. Hashing is also a good idea. Never store sensitive data in plain text.
Manage Privileges
Not everyone in your organization needs to have access to everything. Adhere to the Principle of Least Privilege of giving employees access to only the data they need.
Embrace Automation for Your Vulnerability Management
Given the sheer number of vulnerabilities, developers need automated tools to help them manage the unwieldy testing process. For testing proprietary code during development, static application security testing (SAST) and dynamic application security testing (DAST) can help to find potential vulnerabilities in your code. Software composition analysis (SCA) tools can help teams to run automated security checks and reporting throughout the SDLC, identifying all of the open-source components in their environment and detecting which ones have known vulnerabilities. By shifting left your automated testing for open source security issues, you are able to better manage your vulnerabilities.
Penetration Testing
Pen testers can comb through your code, poking and prodding your app to find weak points. Good pen testers know exactly what a determined hacker will try when breaking into your application. Despite the extra expenses of working with pen testers, you are far better off paying for white hats to try and break in rather than face the consequences of a breach in the wild.
Be Careful with Tokens
Properly securing your third-party tokens should be an application security best practice basic. Please don’t leave tokens you have paid for laying around in your code just waiting for the taking.
Conclusion
Staying ahead of hackers is in large part avoiding the common mistakes that others are likely to make, making yourself a harder target to exploit than others. While no perimeter or application security measures are ever fully hack-proof, following these basic best practices goes a long way in making your application not worth the hassle for the hackers, thereby keeping you and your data safe for another day.
Comments