Application Security: 5 Must-HavesOWASP's Soi on Securing the Application Lifecycle
Adoption of technologies such as cloud and mobility are a clear driver of the application economy and impact security practices, policies and developing secure applications. And the challenge to secure applications is common across India and the Middle East, says Dhruv Soi, founder of Torrid Networks (P) Ltd., and chairperson of the Open Web Application Security Project India.
For security leaders, the impact is likely the need to support a broader scope of devices, and making sure the applications developed for these are secure, he says. The other key concern, observes Soi, is the evolving threat landscape and changing nature of attacks.
Additionally, he says, inadequate security processes in the software development life cycle make applications vulnerable to attacks.
"Most often, application security is taken into cognizance during the post-production testing phase - a big mistake," Soi says. "Developers should start evaluating applications at the beginning by embedding security features and run it through the department at an early stage."
In this interview with Information Security Media Group during the GISEC event in Dubai, Soi explains why CISOs must detect app vulnerabilities at an early stage to be business enablers. He also discusses:
- How OWASP helps security practitioners in introducing standard methods to secure apps;
- How web applications are soft targets for attackers, relatively easy to exploit and provide quick access to confidential data;
- 5 ways to secure applications.
Soi is the founder of Torrid Networks (P) Ltd., and chairperson of the Open Web Application Security Project India; Board Member - OWASP Global Conferences, and Founder of OWASP Delhi Chapter. Prior to Torrid Networks, he was part of the global security team at Fidelity Investments, responsible for security reviews of its transactional and non-transactional applications. He also conducted risk assessments for vendors of Fidelity and imparted secure application development training to 400 plus developers at Fidelity across the globe. Previously, Dhruv played a key role in the SWAT team of iPolicy Networks (acquired by Tech Mahindra). He worked as a vulnerability researcher, making remarkable contributions to its intrusion prevention system (IPS) product.
The Threat Landscape
GEETHA NANDIKOTKUR: What are the threats facing India and the Middle East? How is the application security environment affected?
DHRUV SOI: I'd say a big threat landscape is evolving; the nature of attacks is changing, impacting critical infrastructure and, in particular, application security, a key component of the business. With hackers getting more sophisticated, organized crime is increasing, impacting not only the nation's critical infrastructure, but also geo-political relationships and border states. Almost every business on this planet has one or more web applications, including a corporate website, to say the least. Inadequate security processes in the software development life cycle make applications vulnerable to attacks. Web applications are soft targets, relatively easy to exploit and provide quick access to confidential data. A web application vulnerability helps attackers to escalate attacks further by utilizing watering hole kinds of techniques or compromising the entire corporate infrastructure. Most organizations do not have in-house software development teams, relying on outsourcing partners for acquiring software applications. Hence, lesser control over the SDLC processes leaves applications with security flaws and raises business risk.
Lessons Learned from Open Web
NANDIKOTKUR: Against such vulnerabilities, what are the lessons learnt by CISOs regarding cybersecurity? How is the open web project helping them?
SOI: Open Web community helps bring in standards, tools and methodologies that guide CISOs from a strategic and operations level to take a collaborative approach with outsourcing partners and secure applications. These standards will guide them in assessing their current state of security, their future needs and how to plan for securing their apps for the future. It will also help them prescribe governance policies and evolving ways to counter future threats.
Why Attackers Love Coders
NANDIKOTKUR: It is observed that attackers love coders or developers. What do you say to align applications development with security at the design stage?
SOI: Yes, this is a challenge, as application security is always taken into cognizance post-production at the testing phase - a big mistake. Developers should start evaluating applications at the beginning by embedding security features and run it through the department at an early stage. Security should be involved at the procurement and design levels. The SDLC should have a major security component to rule out vulnerability and attract attackers. I'd suggest that assessment has to be continuous along with security. Make it a process, not a one-time activity. If threat mitigation plans must be put in place, CISOs should be able to detect application vulnerabilities at an early stage. Security, too, is being viewed slightly differently than you might think. It's no longer just about protection and control. It has to be about both control or protection and business enablement.
5 Ways to Secure Applications
NANDIKOTKUR: What are the five vital aspects for securing applications?
SOI: The five key components of securing application include:
- Follow strict security mechanisms in contractual agreements. CISOs should be part of the agreement to define methodologies on securing applications;
- Associate with the development project from the beginning till the end;
- Impart necessary training regarding testing applications at the development stage by the in-house team;
- Build security metrics around the SDLC project, have monitoring controls, define RoI and incorporate the road map for the next phase of development;
- Deploy CMM level 5 standards in framing the SDLC module to make a 3-5 year project plan which cannot fail due to security gaps.