start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
start portlet menu bar end portlet menu bar
Close
Select Page
Secure DevOps
  | October 8, 2019

AppSec: Protect from the Inside Out

Rob Cuddy
Rob Cuddy
Global Application Security Evangelist
AppSec: Protect from the Inside Out

Today’s applications need to protect from the inside, as well as the outside.  What does that mean? Let me illustrate with a common situation we have probably all dealt with.  Have you ever opened your refrigerator and discovered that package of leftovers in there that you had forgotten about?  Maybe it was a Styrofoam box holding the remnants of a great meal from your favorite restaurant. Or perhaps you had enjoyed a wonderful home-cooked meal with your family but there was just too much food for that sitting, so you put the remains into plastic containers and stored them.

And then you promptly forgot about it.

Then a few weeks or even months go by.  Or maybe you went grocery shopping and re-stocked your shelves, and you pushed that container even further back in the refrigerator.  Finally the day came when you noticed it again, only this time there were a few key changes right? Changes like mold everywhere inside it, and a distinct new aroma. What do you do?  You end up kicking yourself for forgetting about it, and then you throw out everything in the container, and maybe even the container itself.

Unfortunately, for a lot of organizations, this is exactly how they are treating their applications.

The 2019 State of Cybersecurity study from HCL found that while 60% of Information Security professionals expect a cyberattack to happen to them this year, only 34% of them are confident in their team to handle it.  Why is that the case? The reasons are many.  An ever-increasing threat landscape and an increase in the number of attack vectors surely come to mind right away.  But another big reason is that they know most applications being deployed are vulnerable when released.  Pressure to meet deadlines and release dates causes development tradeoffs that impact testing schedules, and for many, even with the best of intentions, it is very likely that an application developed today will contain vulnerabilities in it that will leave it open to attack. Veracode’s 2018 State of Software Security report found that 85% of all applications have at least one vulnerability in them. And when you factor in the increasing use of open source software, this just increases the risk for vulnerabilities. In fact, according to the State of Open Source Vulnerability Management report from Whitesource, reported vulnerabilities from open source components rose by over 52% in 2017 alone.

When it comes to Cybersecurity, many companies I have seen focus most of their efforts on securing the perimeter, or what I would call the “outside”. It involves things like threat detection, network protection, identity and access control, endpoint management and many other things like these. All of these are necessary and they are meant to keep good stuff in and bad stuff out. Now think back to the food analogy from earlier, this approach is similar to putting good leftover food into a container and storing it in the refrigerator. We have a “secure” environment that is specifically designed to keep food cold so that it can be safely consumed later. So then, why did the food go bad?

Simple. Because of what was already in it when we stored it.

With our food, we thought about what type of container to use, and we chose one appropriate for our refrigerator. We considered where inside to place it; whether in a humidity-controlled bin, on the inside of the door or strategically on a particular shelf.  It’s safe to assume that; at no point did we consider placing it in a spot where it would spoil. Yet, even inside that sealed container, in the cold environment of the refrigerator, there is enough air and moisture to allow for the growth of microorganisms to occur. We want to, and should, take full advantage of sealed containers and refrigeration, but all those things are doing is really just slowing the process down. The problem here isn’t the device we used or the container we chose, it is what’s inside what we stored. Given enough time, those microorganisms result in mold, making something that was great into something unusable.  If we wanted to maximize the shelf-life of the food we would need to protect from the inside out:  we would need to find and remove as many of those microorganisms as possible.

Now think about your software applications.

They are written and then built. They are packaged into containers and those containers get delivered into environments that were specifically designed to hold them. And all is great — until the vulnerability that no one realized was in the application gets exploited and now the organization is at risk. And today, more than ever, application security is paramount to business success.  In short, you need to protect from the inside out too.

And If that isn’t enough to convince you of the need for a comprehensive application security program, consider these additional facts. A 2019 report from Forrester (obtained from SecurityBoulevard.com) stated that the top two ways successful breaches were carried out were through web applications (36%) and software vulnerabilities (35%). These were also the same top two issues in the 2018 report. So, what does that mean? It means hackers and cybercriminals are most often looking to exploit existing weaknesses in the application layer, and the truth is that they are usually not hard to find. It means we can make extensive use of container technologies and we can have great networks, monitoring, alerts, endpoint management technique and threat detection models — but if we don’t protect from the inside out by securing the applications themselves we leave ourselves open and exposed.

So how do we secure the inside?  That is what will be explored in this series.  The first step though is to realize that security is a big part of the overall quality conversation.  It is every bit as important as functional testing, performance testing, regression testing, UI testing, API testing and so on.  Longer term, security has to be ingrained in the organizational culture.

The bottom line is that companies can no longer simply run scans using the same set of policies and tests from previous releases and assume that is enough to be secure. To truly protect from the inside out means integrating application security into development cycles with a comprehensive approach.  After all applications are built focused on how they will perform and be used. Hours are spent designing and implementing innovative capabilities to differentiate from competitors. There is intense focus on the user experience, looking for ways to simplify and enhance it.  And while no one wants to make insecure apps, how much time is really spent thinking about security?

Stay tuned for additional blogs in this series as we explore more details and aspects of a comprehensive application security program.

Comment wrap
Rob Cuddy
Rob Cuddy
Global Application Security Evangelist
Rob is currently a Global Application Security Evangelist for HCL providing thought leadership for the application security space, particularly as it relates to DevOps and DevSecOps initiatives. Prior to this role, Rob was with IBM for 14 years with roles in Application Security Evangelism, Worldwide Sales Enablement, Tiger Teams and Field Services for the Management and Platform Segment offerings in IBM Cloud. Rob has worked with clients all over the world to help address their challenges in ways that bring a positive impact to the business bottom line. Rob has spoken at numerous events and conferences, including Evanta CISO Summits, THINK, InterConnect, DevloperConnect, IBM Top Guns and many customer events. Prior to IBM, Rob spent 13 years with 5 different companies working as a configuration management specialist with an emphasis on Rational tooling. Rob graduated from the University of Southern California with a degree in Aerospace Engineering and is an avid fan of college football. When not at work, Rob enjoys spending time with his family, serving with his church, running and cycling. You can connect with Rob through the Application Paranoid podcast, via LinkedIn, Facebook and Instagram but the best way is by joining the “Robservatory” on twitter using the handle @Robservatory.
Read more

Topics in this article:

Application SecurityAppScanAppSecDevOpsDevSecOpssecurity testing

Submit a Comment

Your email address will not be published. Required fields are marked *

* HCL provides software and services to the U.S. Federal Government through its partner Four, Inc. Please contact Four, Inc. at the U.S. Federal Government contact page.


appscan
Secure DevOps | December 20, 2023
Secure Application Code Against Vulnerabilities Faster with HCL AppScan Fix Groups
Stop in for an update on how HCL AppScan helps find vulnerabilities and security risks, starting with built in AI that dramatically reduces the number of scan findings and practically eliminates false positives.
Uffe Sorensen
Itay Levin
Design Lead for HCL AppScan
appscan
Secure DevOps | December 5, 2023
HCLSoftware Named a Strong Performer in The Forrester Wave™ - Static Application Security Testing, Q3 2023
HCLSoftware has been named a strong performer in The Forrester Wave™ - Static Application Security Testing, Q3 2023 Report. Read the blog to know more.
Uffe Sorensen
Adam Cave
Product Marketing Manager, HCL AppScan
appscan
Secure DevOps | September 7, 2023
HCL AppScan 360º Integrations with Jenkins and Azure DevOps Provides Powerful DevSecOps
Discover how HCL AppScan 360º provides a self-managed application security testing platform for on-prem or private cloud deployment, with integrations for industry-leading CI/CD tools like Jenkins and Azure
Uffe Sorensen
Parimal Sureshagarkhed
Lead Software Engineering
start portlet menu bar end portlet menu bar