Effective data security spans every level of an organization and involves many different internal teams working together. Making sure the right information is traveling up and down the command chain is a key component of this, but it can often be easier said than done. With an increasing amount of business now done online, web app vulnerabilities are becoming more and more problematic. Failure to remediate them quickly can lead to significant data loss, website defacement or denial of service, yet the disconnect between parties within the command chain often hinders the development of efficient security practices.
The worrying truth is that most web sites are vulnerable most of the time. According to research, the average age of an open critical website vulnerability is over 300 days. That means that almost a year goes by before the flaw is fixed. That’s a pretty significant amount of time for criminals to find and exploit these vulnerabilities before the businesses in question can remediate them; a scary prospect indeed.
With this in mind, how can three of the key parties within the business command chain (Executives, Security Practitioners and DevOps) work more effectively together to prevent their organization becoming the next victim?
Executives
Regardless of industry, executives must face the fact that a large number of their business applications are at risk, most of the time. For example, our researchers found that over 50% of retail websites are always vulnerable, with each site having, on average, 23 unique vulnerabilities. Executives believe that application security flaws can be expensive to find/address and often consider that the cost outweighs the risks. This is folly. Most vulnerabilities have the potential to expose the business to loss of data, revenue, reputation, and potentially customers, if not addressed.
Executives are in the best position to help change the way that the security and DevOps teams approach software. Whether developed in-house, purchased, or outsourced, almost all software introduced into a business is done with speed and time-to-market in mind, but even the most efficient IT teams need time to integrate new software properly, otherwise they risk introducing new security flaws at the same rate at which they are rectifying old ones.
Executives need to get to grips with the security of their entire application landscape. One of the best ways to do this is to use analytics to identify and prioritize the most business critical applications that need to be secured. They must then empower their security practitioners to have the right tools in place to find vulnerabilities in a timely manner and ensure development teams are held accountable for application security before they are allowed to disengage from the project.
Security Practitioners
Every security team knows that it’s very rare for an application security program to be 100% effective. So, rather than thinking that their program is bullet proof, security practitioners should instead look for industry remediation rates to use as a baseline for their own security posture, and look to improve from there.
This is not without its challenges. Security practitioners need to influence without authority. While they are the gatekeepers of security, they often have little or no authority over the security quality of web applications under development. As such, security practitioners need to position themselves as an integral part of the process that takes these applications from code through to production. By using their knowledge of application security analytics throughout the development lifecycle, they can become key development partners to the teams tasked with producing secure quality code. Security practitioners must also take the time to keep executives well informed throughout the process, thereby minimizing undue pressure from above, whilst ensuring any pre-agreed timetables are adhered to. Finally, the CISO needs to build a business case for implementing the tools that can provide the evidence they need to really engage DevOps and executives in secure coding practices.
DevOps
The DevOps team are really up against it when it comes to application security. Actionable vulnerability data is seldom available during the actual development cycle. As such, application security flaws often surface too late in the process and some flaws only become known after the application goes live. Assessing software for security vulnerabilities just prior to production or release is far too late, and the reason for this can often be traced back to time constraints imposed at the executive level for development and implementation.
DevOps teams need to work closely with security practitioners and executives to build ample security review time throughout the entire development lifecycle. Moving to a continuous integration process can greatly assist with this, as can the use of both source scanning and dynamic scanning during the development and implementation phase. DevOps can help demonstrate that to the executives; that a slightly longer initial development phase is preferable to repeating the whole process several times when vulnerabilities are discovered at release. However, they can only act on this if both DevOps and security practitioners can effectively communicate it up the chain.
Communication is Key
Effective app security requires a concerted team effort between key parties within the business command chain, which isn’t always easy, but understanding differing challenges and drivers across the business can really go a long way. From the business continuity concerns at the executive level, to implementation time and QA concerns within the development teams, achieving the right balance by effective communication between all parties is the key to success.