7 Steps to Web App Security
Emerging technologies are introducing entirely new ways to reach, act, and interact with people. That makes app security more important than ever.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt8830cd0ba33f167e/64f0d3bc3525566346c78314/Slide1CoverArt.jpeg?width=700&auto=webp&quality=80&disable=upscale)
For more than two decades, Web apps were built with functionality in mind. Everything revolved around the user interface and how easy it was for users to access information and make online purchases.
No longer. The high-profile breaches of the past few years have shattered those assumptions, and companies can no longer trade off functionality for security. Today, both app security and privacy must be built into Web applications.
Setu Kulkarni, vice president of corporate strategy and business development at WhiteHat Security, says it all starts with CISOs explaining in clear terms what lackluster app security means to the company's bottom line.
And while it's important for CEOs to understand what's at stake in terms of lost revenue and brand reputation, security pros are the ones who have to "own" security, Kulkarni says. "That means moving from merely responding to breaches [to mainstreaming] security into IT project teams and the entire development process," he says.
This feature offers security pros some ideas for mainstreaming app security at their organizations. Security, after all, can't be an afterthought. It has to become a part of the company's culture, just as important to the product as quality control.
It's really important to streamline and regularly update the code on your website, Offensive Security's O'Gorman says. Companies should only keep what's in use and delete areas of the site that aren't used anymore, he adds. Hackers prey on unused portions of websites, plus the more code a site stores, the more expensive it is to maintain.
SiteLock's Tebow advises companies to store site visitors' personally identifiable information on a separate database. That way, should hackers gain access to your site, they can't grab that data. In addition, site visitors should only have access to an application, and administrators should only have the access they need to do their jobs.
Don't let too much time go by between formal site assessments, Offensive Security's O'Gorman warns. Application security managers and developers should always be checking for design flaws. The sooner the better, O'Gorman says, because by the time security pros see a flaw in an application, it may be too far along into the process to simply run a patch. More often than not, the team may have to rewrite the applications from scratch.
"The more frequently you run assessments, the sooner you'll find flaws early on," O'Gorman says.
The security field changes constantly, and it's tougher than ever to keep up with all the new companies and products that are entering the market, Offensive Security's O'Gorman says. In today's business climate, and with the threat landscape so volatile, security pros will fall behind if they don't stay on top of the industry, he says.
"As a culture, the organization has to reward intellectual curiosity," O'Gorman says. "You have to give people time to learn new things, and even if they explore a topic that doesn't lead to a solution, if they learn and grow from it, it's worth the time and effort."
In a short few years, bug-bounty programs have gone from outliers to much more mainstream. In the past, Offensive Security's O'Gorman says, people who found bugs would be afraid to reveal it for fear of a lawsuit. Today, reputable companies such as Bugcrowd and HackerOne do this full time and have set up bug-bounty programs with many of the leading vendors.
If you decide it's too expensive to go with one of the better known bug-bounty companies, be prepared to spend at least some money, O'Gorman says. It's also important to set clear parameters. You might want to spin up a dedicated testing environment to use as a test bed. That way, if the hosting company sees malicious activity, it will know it's intentional testing, plus it keeps bug testing away from client data.
This may seem like common sense, but WhiteHat's Kulkarnisays application security managers have to move away from their consultancy role and become more mainstreamed into IT project teams.
In doing so, they can spend more time explaining to developers how security impacts the organization, Kulkarni explains. Application security managers also can serve as the point people for security in their organizations for everything from installing new routers and firewalls to DLP software or email gateways.
WhiteHat's Kulkarni says companies need to get IT people to think of security as part of the company's quality process. "If the IT staff begins to think of security as part of its QA process, security will be given a higher priority," he says.
Already in the past couple of years, more CISOs have gained a seat at the table with top management. CISOs and vice presidents of security are now viewed as go-to people who, through the use of analytics, can show how the company is performing from a security perspective, Kulkarni says.
SiteLock's Tebow agrees it makes sense for security to become part of a company's QA activities.
"Security needs to be included in the whole process," he says. "If you cram security in at the end, something will get missed. And it's not that I think people are lazy. Especially with developers, they are focused on getting applications out the door. Security really has to become a mainstream part of the development process."
For more than two decades, Web apps were built with functionality in mind. Everything revolved around the user interface and how easy it was for users to access information and make online purchases.
No longer. The high-profile breaches of the past few years have shattered those assumptions, and companies can no longer trade off functionality for security. Today, both app security and privacy must be built into Web applications.
Setu Kulkarni, vice president of corporate strategy and business development at WhiteHat Security, says it all starts with CISOs explaining in clear terms what lackluster app security means to the company's bottom line.
And while it's important for CEOs to understand what's at stake in terms of lost revenue and brand reputation, security pros are the ones who have to "own" security, Kulkarni says. "That means moving from merely responding to breaches [to mainstreaming] security into IT project teams and the entire development process," he says.
This feature offers security pros some ideas for mainstreaming app security at their organizations. Security, after all, can't be an afterthought. It has to become a part of the company's culture, just as important to the product as quality control.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024