Leadership Framework for Building Elite Teams
Four Reasons Why You Need a Third-Party Security Assessment
Information Security Against Cyber Attacks
The Technology Project Life Cycle: Lessons Learned
Your Application is Mostly Written by Strangers
Edwin Kwan, Head of Application and Software Security at Tyro Payments
Developing leading indicators for Business Continuity risk
Karl Rosenblum, Global Head, Manufacturing & Risk Strategy, Alcon
Application Security Fundamentals and Coaching Basketball
Lee Bailey,Director, Information Security & Compliance, Tupperware Brands
Turning AppSec on its head
Derek Fisher, Vice President of Application Security, Envestnet
Thank you for Subscribing to CIO Applications Weekly Brief
Application Security and its Many Challenges
Kirk Havens, Chief Security Information Officer, GoHealth
The healthcare technology industry is uniquely affected by application security challenges. The advent of several new healthcare technology solutions has created a flood of applications delivering healthcare products and services to customers. This is the time for the healthcare industry to be at the forefront of building security into their products and fully adopting strong application security practices.
“This is the time for the healthcare industry to be at the forefront of building security into their products and fully adopting strong application security practices.”
The year 2021 will go down as one to remember as it pertains to application security-related issues. 2021 ended with quite possibly the worst vulnerability of all times in log4j. Log4j in many ways accentuated the many challenges associated with application security. The Open Web Application Security Project (OWASP) top 10 now lists broken access control as the number one application security risk based on the number of documented occurrences of incidents.
Now more than ever, it’s critical that cybersecurity programs build or procure full scope attack surface reduction teams and services. In years past, application security was done in isolation from peer cybersecurity and development teams. The explosion of applications with new end-user features has only served to exacerbate the application security risks. Application and product teams have utilized add-on functionality through API services to existing applications to meet the needs of their consumers. Often, this is done in short order and without total appreciation of security risks until an incident occurs. This problem is fueled by a critical shortage in application security skills, as well as nascent attack surface reduction security controls. The gap is even larger for small- to medium-size businesses (SMBs) in addressing application security risks.The SMB space has significant difficulty in attracting top talent in a competitive market and will need to rely heavily on third-party service providers. Security leaders in the SMB space must be creative in how they address the application security issue, working hand in hand with the application development teams to mitigate issues before, during and after code deployment to maximize security investment.
Addressing these Challenges
I often describe cybersecurity problems and solutions using the cliché of people, process, and technology, but take it a step further. Getting the right people who will build the right processes that leverage good technology solutions is the formula for success. Whether it be in-house or as a service, finding talent willing to work as a partner, and not an adversary, to the development teams will go a long way. This is key to shaping a positive security culture that fosters successful outcomes. Establishing processes where applications are fully understood at each tier is quite possibly the number one risk reduction measure. This type of approach requires sound asset management, as well as a fully mapped security operations workflow that completes the developer feedback loop in real or near real-time.
One more factor to consider is the security technology solutions, which is typically last for a reason. Good technology solutions rarely go anywhere without sound people and processes. As tools for application security evolve so must the teams utilizing them. We are now at a deluge of point application security solutions, with only a handful of platform-based providers. It’s critical that teams focus on acquiring tools woven into each phase of the development life cycle and provide a comprehensive product risk view.
With an increased demand for application security talent and greater than ever pressure on development teams, we will continue to see increased risk and incidents through 2022 and beyond. Now more than ever, it’s imperative that as a security community we work with our IT and application development partners to reduce our companies’ attack surface and start to shift left in addressing our application security risks.