Three steps to AppSec
Application security – or AppSec – is becoming a challenge for organisations in the retail and financial sector as COVID-19 has resulted in an unprecedented surge in e-commerce accompanied by massive growth in the number of mobile and Web-based applications.
Retailers and banks in particular are focusing more on the security of their digital channels, says Seph Robbertse, Sales Specialist: AppSec and IAM at Micro Focus South Africa, as the whole shift to work from home has resulted in increased interaction across digital channels for both of these sectors.
“Over the past year, we’ve seen retailers struggle to stay relevant – and in business – acquiring delivery businesses, launching applications that promise home delivery within 60 minutes of the order being placed and other innovative measures aimed at wooing customers. In a similar vein, banks are seeing increased online traffic as people avoid going into their branches in favour of resolving their queries online, where possible.”
As a result, retailers and financial institutions are placing more focus on the security of these channels.
This requires more focus on security throughout DevOps, says Robbertse. “While the pressure is on to roll-out software quickly so that businesses can gain a competitive edge, they can’t afford to neglect application security. It’s no longer just about the quality of the application and ensuring that it works properly; the impact of a breach or security risk is increasing exponentially. In the rush to release new iterations or features, there’s a tendency to forget application security – at a time when it matters more than ever.”
All organisations, regardless of sector, need to look at their AppSec programme, he advises. If they already have one in place, they need to optimise it. If they don’t have one, they need to get moving sooner rather than later. “I’m not just talking about a potential breach of the application, an AppSec programme is also around compliance with the various industries’ different regulations and compliance requirements, not to mention data protection laws such as POPIA and GDPR.”
Any AppSec programme is a journey, he explains. As a first step, the organisation needs to get to a maturity level that will permit it to identify risks, which the majority of organisations are able to do at this stage. The second step or level that they need to adhere to is to deploy some degree of policy compliance, where they get reporting and bring in automation. The third level requires looking at things like risk mitigation – how to bring AppSec into the pipeline and make it part of the DevOps programme, starting with inbuilt best practices and actionable controls.
Robbertse says: “Most organisations are at the first two levels and are striving to get to level three. One of the big challenges encountered when moving between the different levels arises when the developer is expected to resolve security-related issues. Developers are experts at implementing requested features or functionality, but they are code experts and not security experts, but this is starting to be expected of them.”
This is why Robbertse claims the real first step in any application security programme within any organisation should be developer education. “Developers need to be educated around application security as it’s gradually also falling under their ambit, despite the fact that they tend to avoid the topic simply because they don’t know much about it.
“The world of application security can be confusing for the newcomer,” he says, “there are a lot of acronyms and ongoing new developments in the field. One way that this challenge can be resolved is by giving developers access to training videos that feature experts discussing the basics of application security and demonstrating that AppSec won’t have a negative impact on their day-to-day jobs.”
Not only will educating developers around application security help organisations to optimise their AppSec programmes, it will also assist with the overall cyber resilience of the organisation, enabling it to survive in the face of adverse conditions, such as a pandemic.
For additional reading, you can access the 2020 Gartner report on the critical capabilities for application security testing here. You can also view Gartner’s 2020 magic quadrant for application security testing here.