Defense Against the Dark Arts: Learnings From the Magical World to Boost Your AppSec

Written by

We’re all aware that businesses have had to deal with a multitude of challenges being thrown at them throughout the pandemic. However, whether it’s been hybrid working models, the need to implement new and collaborative IT solutions or trying to keep employees safe, there has been one challenge that’s eclipsed all others and caused immeasurable damage – information security.

Cyber-criminals continuously accelerate and improve their methodologies, creating more sophisticated tactics, techniques and procedures. Their success has been immense as a result. In fact, we’ve recently seen effective hacks against governmental organizations such as SolarWinds, attacks on national infrastructure, including the ransomware which targeted the Health Service Executive of Ireland, and even large-scale business attacks like Codecov.

Cyber-criminals are moving at pace, seemingly casting sophisticated magical spells across businesses to sneak into their networks and wreak havoc. With application security (AppSec) specifically vulnerable to this wizardry, how can businesses protect themselves and their code against these seemingly dark arts and guard against the threat actors who are cursing, jinxing and charming their way past security defenses?

Always Scan Your Code

Effective AppSec methods are vital to ensuring organisations can secure their applications as tightly as the fictional prison, Azkaban. With different levels of security controls in place – from its location on a tiny island out at sea, prison cells, and being guarded by soul-threatening creatures – the prison has the tightest security in the wizarding world. These layers are comparable to the layers of security needed in modern software, something which, when implemented correctly, application security can provide to businesses.

As a first step towards this security, it’s vital that neither organizations, nor their developers, assume any portion of their codebase is intrinsically secure. Whether it’s proprietary or open-source code, every line must be thoroughly inspected from the onset of development. The objective of this is to ensure that any and all vulnerabilities are found and addressed, limiting exposure to risk. This also goes for adding new features and functionality to applications.

It’s also vital to ensure that every component is secured, including third-party components like APIs. While it takes bravery to stand up to our enemies, it takes just as much to stand up to our friends, and organizations can’t just trust third-party organizations blindly. Instead, a ‘trust, but verify’ approach – meaning organizations trust but take things a step further by verifying and validating – is vital in ensuring all components and code are truly secure before it’s used.

Training as a Form of Defense

Whether it’s learning about transfiguration or successfully creating secure code, training is a vital form of defense in the fight against the dark arts – magical or cyber. Those with malicious intent are constantly evolving, and the ‘good guys’ need to evolve alongside this to stand a chance in keeping up.

When looking at application security specifically, we know that the vast majority of developers today want to up-level the security of their code. Our own research found that when developers were asked about the skills they prioritized learning or improving most, the top response was AppSec / secure coding (46%). To ensure this, training programs need to be implemented as a priority, and organizations need to understand it’s their duty to enable such initiatives.

The traditional video tutorials, lectures, slide decks, periodic classroom training and mandatory online courses are standard approaches to AppSec training but often fail to help or retain the attention of developers. Instead, much like the magical lessons provided at Hogwarts, sessions and content need to be bite-sized, precise and interactive to increase engagement. By providing a glimpse into the adversaries’ point of view, organizations can empower their teams to best protect against attackers – by knowing what evil looks like, they can best fight it.

Mischief Managed

Most threat actors could solemnly swear they are up to no good, so businesses and developers need to ensure they’re doing everything in their power to protect their applications. By heeding the aforementioned advice above – focusing on scanning code, implementing a trust, but verify approach to third-party content, and prioritizing interactive, bite-sized training programs – organizations can be safe in the knowledge that their AppSec security is making a real difference and those with malicious intent will have a much harder time penetrating their defenses.

What’s hot on Infosecurity Magazine?