Application Security: Testing is NOT Enough
In the software development world, developers are faced with a breakneck release schedule and tasked to produce applications quicker than ever. Customer purchasing decisions are complex and change constantly. Online business shifts force business owners to demand feature rich mobile and web applications. All to support the continuing goal of transforming businesses to digitally deliver services via web and mobile apps.
Agile development practices help meet these demands by reducing the length of time to deliver, pushing innovation, while improving the quality of subsequent releases. The problem of faster release cadence has been ignoring software vulnerability testing of secure coding practices.
Vulnerabilities continue to rise
Application weaknesses and software vulnerabilities continue as the most common external attack vector. Statistics from the 2020 State of Application Security report released by Forrester Research paint a compelling argument for the need to adopt early application security testing:
- 42% of global security decision makers whose firms experienced an external attack said it was carried out by exploiting a software vulnerability
- 35% said it was through a web application
- 27% was use of stolen credentials (logins, encryption keys)
The 'Shift Left' movement was developed to address concerns over the growing number of insecure applications released. This movement allows for code testing early in the development process. Key to the movement are SAST/DAST/IAST (Static/Dynamic/Interactive Application Security Testing) and SCA (Software Composition Analysis) testing. Although each are key elements to application security, vulnerability testing tools fail to address application protections after release. Further steps beyond vulnerability testing are required to protect software from bad actor reverse-engineering, code tampering, injection, and data theft attacks.
Finding vulnerabilities is only the beginning
In their entirety, organizations have been slow to adopt Shift Left practices. SAST/DAST/IAST and SCA are effective at uncovering vulnerabilities. Additionally, testing tools are tremendous for teaching developers secure coding methods. The best tools provide valuable real-time feedback, tutor developers on secure software patterns and avoidance of code libraries, and detail requirements on repairing potential vulnerabilities.
Noteworthy are the downsides of testing tools. False positives generated through testing potentially add work to developers and security professionals to review. Thus adding work, lengthening release schedules, and adding performance costs. Also, early testing will pinpoint vulnerabilities, but won't secure applications from direct attack.
Testing Is NOT Enough to Secure Applications
Effective application security against tampering, intrusion and malicious data exfiltration, requires the implementation of in-app protections. In-App security solutions are implemented inside applications during the development cycle and enhance resistance to attacks. A study by Aite Research identified a widespread absence of application security controls and secure coding:
- 97% of apps tested lacked binary code protection, making it possible to reverse-engineer or decompile source code
- 90% of apps tested shared services with other applications, leaving data accessible to other applications
- 83% of apps stored data insecurely outside of the apps control, allowing access with other apps and exposing attacks through APIs
- 80% of the apps tested implemented weak encryption algorithms or the incorrect implementation of a strong cipher, allowing adversaries to decrypt sensitive data and manipulate or steal it as needed
Application attacks and software vulnerabilities continue as the top two reasons organizations experience a breach. The growing complexities of customer needs demand faster development cycles and regular release cadence, each expanding the bad actor exposure and increasing probability of malicious attack. Shifting security ‘to the left’ into the development process saves organizations time and money, discovers vulnerabilities early, increases secure coding awareness, and improves the overall value stream.
Security testing early in the development cycle is critical, but not enough. Application defense-in-depth security composed of early testing and in-app protections adds multiple layers of security. In-app protections guard and remediate against code-tampering and theft, API manipulation, credential theft, and malicious code injection attacks. Protect apps and the business value stream from the inside out by identifying application vulnerabilities during development and applying in-app protections after application release.