#2018InReview Application Security and Software Development

Written by

Due to faster connectivity and the lower barriers to application development with open source software, the amount of applications and data held by organizations has continued to grow. As a consequence, hackers are developing more sophisticated ways to gain access to insecure apps to take valuable data. 

Application security is a multi-billion pound industry due to the plethora of applications being currently being built by businesses. The market is predicted to rise almost three-fold in the next three years, and IT security professionals and development teams will be eager to protect applications and the sensitive data it holds. 

There’s no doubt that 2019 will be a challenging year regarding cybersecurity for many UK organizations. With larger socio-economic changes due to Brexit looming overhead, collaboration between European nations and businesses on cybersecurity will be an area of focus and risk.

With high cyber threat levels coming from nation-state actors and uncertainty surrounding how data is to be handled and transferred between the UK and the EU, organizations should look inward to make securing their own software and applications the priority to mitigate against future threats.

As we head toward the New Year, let’s ponder what we can expect in cybersecurity and software trends.  

2019 will be bigger than 2018 – when it comes to data protection malpractice
This year saw the roll-out of one of the largest data protection legislations, EU GDPR. Since its inception in May, both industry and consumers alike watched with interest as breaches led to exposures and fines.  

Last month, Uber escaped a major fine over a UK customer data leak as a result of a technicality; the incident happened before GDPR rules came into force. Yet despite this, the tech giant was still fined £385,000 by the Information Commissioner’s Office (ICO) for its role in the incident.

Though some may stay undetected for a significant period of time, and some may even take place throughout a number of months or years, it’s almost guaranteed we see similar mega-breaches over the coming year. 

UK Government to expand its focus on IoT security 
Although only guidelines, the UK Government made an admirable head start towards Internet of Things (IoT) regulation with its ‘secure by design’ guidelines, released in October. Though the code of practice was initially designed with the home device market in mind, the guidelines subsequently had a strong influence on the move towards industrial IoT regulatory requirements. While this was a significant achievement within the UK, only time will tell whether this kind of regulation will be rolled out successfully in the UK. 

In the industrial IoT (IIoT) sector, we can expect to see a lot of focus to be driven by governments eager to protect core businesses applications and critical national infrastructure. The software supply chain is growing in importance and companies will begin to build strategies around protecting every piece of their software. Oil, gas, power generation, aviation and water industries are all highly dependent on software to run their businesses effectively, so it’s key for the government to focus on cybersecurity policies which will aim to protect consumers, businesses and the wider economy.

IoT networks and their security are critical to delivering Smart City initiatives in the UK, so the entire software supply chain, from equipment manufacturers to over-the-top (OTT) service providers, must work together to deliver effective end-to-end security.

Organizations waking up to the reality of sleeping bugs
Although there has been some improvement, the process of fixing bugs needs to happen at a much faster pace. As businesses become more dependent on web apps, not fixing bugs effectively or efficiently leaves a greater attack surface. In addition, developers are using open source components for a majority of their code, gaining speed but increasing risk if vulnerabilities are not accounted for. 

To most, the Marriott breach - one of the biggest on record - was astonishing. However, it is unsurprising to many in the security industry that a merger between Marriott and Starwood created exposure in the company’s digital security, leaving a door open for hackers to exploit a SQL injection bug. Prior to the four-year-old breach being discovered, Marriott suffered at least one previously unreported hack, including an infection that hit the company’s own cyber-incident response team. 

It’s important for organizations to take note and understand that these legacy code networks, often ripe with detritus from a multitude of historic mergers and acquisitions, can present significant vulnerabilities. Fail and fix fast enforces the importance for cybersecurity workforces to make rapid and incremental testing and remediation part of application security through ‘Shift Left’ the main priority in 2019. 

Organizations should enter the coming year with a new mentality – that great code means secure code. DevSecOps, the practice of incremental scans and improvements as code is being written in collaboration with development and security teams, is not a mere theory anymore, but an established practice by businesses who want to keep their data protected and also demonstrate to vendors, partners and prospects that their software is secure.

With data regulators now having the power to search and heavily fine uncompliant organizations, more companies are adopting testing and remediation continuously in the application development lifecycle. 

To stay ahead of malicious hackers and criminal organizations, governments and businesses should work closely together and continuously test their software to ensure code is high quality and secure. 

What’s hot on Infosecurity Magazine?