Empower Your Developers and Users to Overcome Application Security Vulnerabilities

From the minute we wake up in the morning until the time when we drift off to sleep at night, applications empower our lives.

To give you a sense of how powerful the impact of technology has become on our daily lives, consider these smart phone usage statistics from Reviews.org:

• 75.4% of users consider themselves addicted to their smartphones.
• 65.6% of users check their phones more than 160 times per day.
• 55.4% of users admit to looking at using their phones while driving, despite laws in many jurisdictions that make hand-held mobile phone usage and texting while driving illegal.
• Disappointingly, 32.7% of users admit to spending more time on their cell phones than with their significant others, and 17.3% confess to spending more time on their phones than with their children.

The above-referenced figures don’t include additional time that users spend on other technological devices, such as laptop computers. Note that the data were analyzed just prior to the digital impact of the COVID-19 pandemic, so the figures could be even higher now.

And, the common denominator that bonds users to all of these devices is their applications.

So, how can you ensure that you’re using applications safely, and that your organization is developing applications securely? I’ll provide you with actionable best practices, but first let’s explore the lay of the land for application vulnerabilities.

Application Vulnerabilities: Current Environment 

Here are eye-popping statistics about the prevalence of vulnerabilities in modern applications:

• In a recent Technical Review of HCL AppScan, analyst firm ESG found that 62% of organizations test fewer than half of their applications. You can download ESG’s comprehensive report here to find out more.
• A compiled TechBeacon report found that 83% of applications contained at least one security flaw at their initial vulnerability scan.
• The same TechBeacon report found that organizations took more than 50 days (more than 7 weeks) on average to remediate critical vulnerabilities in Internet-facing applications.

Smartphones, laptops and applications are ingrained components of our lives, so I’m not advocating that you give them up in an effort to avoid the application vulnerabilities that I’ve referred to above. Rather, I’m asking you to observe the following best practices, so you can do so more safely:

Application Security Best Practices for Users

Listen to your instincts

There are no trackable metrics associated with this best practice, but this is solid advice anyhow. If someone you’re interacting with on social media or dating apps sounds too good to be true, listen to your instincts and disengage with that person. Utilize different user names across different Web sites, and make sure that you’re using a unique password on each of the sites and changing it regularly.

Utilize official application stores

Be especially careful when downloading applications that you’re not familiar with. Always utilize the official Apple App Store and/or Google Play when you download applications, and be especially wary of look-alike fleeceware applications that exist solely to separate you from your money and your good name. To put this advice into context, the Digital Information World article that I linked you to above documents nearly 600 million (yes, 600 million!) user downloads of fleeceware that resulted in financial losses through payment and subscription scams.

Share only what you need to share

This advice will be hard for power users of dating and social media applications to accept. Share only the minimum amount of information that you need to share about yourself in online profiles, particularly on business applications such as Linkedin. The more information you provide, the easier it is for someone to execute a spear-phishing or whaling attack against you.

Post photos of your fishing trip; don’t let yourself be phished

Don’t click on links in unanticipated e-mail messages or texts from your application providers, as those messages could be phishing attempts designed to capture personal information about you.

Application Security Best Practices for Businesses

Not only do users need to take action to protect themselves, organizations need to safeguard the applications that they’re developing for users. Here are steps you can take to protect the applications that your organization is creating and/or updating:

Learn from the best

There are many powerful resources you can consult to learn how to manage application security risk more effectively. Our CISO Joe Rubino recently provided his perspectives on best practices for managing application security in a global enterprise like HCL. You can access a replay of Joe’s session here.

Make AppSec a program, rather than a series of one-off projects

In a September 2020 report, Statista estimated that there were 2.56 million applications available in the Google Play store in the first quarter of 2020, and another 1.85 million available in the Apple App Store. More than 1 million additional applications were available in Windows Store and Amazon Appstore, combined together. So, in order to keep up with the sheer volume of new application releases and downloads, your organization needs to think about application security as a “program” rather than as a series of individual projects. My colleagues Colin Bell, Rob Cuddy and Kris Duer show you how to do so in their recent Continuous Security webinar.

Evangelize the importance of AppSec with your executives

The business reality is that most of your customers interact with you via applications. However, we have found that it is often challenging for executives to understand the potential impact of major security vulnerabilities on their companies’ applications, until a costly data breach takes place. Invest time now to learn about the potential impact of application security of your company’s brand reputation, and educate your executive team about the pitfalls of a “wait and see” approach to protecting your applications from vulnerabilities. My recent blog spotlights 5 key reasons to invest in application security testing, which will help you to get the discussion started.

If you’re not doing anything right now, start somewhere

Having worked in the AppSec field for more than 5 years, I’ve found that one of the biggest enemies of an effective application security testing program is sheer inaction. In other words, many organizations view the AppSec problem as so huge that they don’t even know where to begin. So, my advice here is simple: Start somewhere. The company I work for offers a 30-day free trial of our HCL AppScan solution, so you can test-drive an application security solution on your own. Similarly, we offer a community edition of AppScan known as HCL AppScan CodeSweep that empowers your developers to identify potential security vulnerabilities on their own.

Share Your AppSec Insights

My best practices recommendations above represent only the tip of the iceberg. If you have best practices that you use to protect yourself or your organization against application security vulnerabilities, share them in the comments section below. It takes a village to protect the applications that we’ve come to depend on. Thank you for your comments!