How secure coding can help prevent damaging data breaches

4 Dec 2017

Srini Vemula, programme manager, SenecaGlobal. Image: SenecaGlobal

Application security can no longer be an afterthought.

The world of data breaches is rapidly expanding, with a new threat appearing around every corner. According to security expert Srini Vemula of international technology consulting firm SenecaGlobal, there’s one major thing that can often be neglected: the security of the code within apps themselves.

Siliconrepublic.com spoke to Vemula about the importance of watertight application security (appsec) in terms of creating an armour against breaches, bad actors and a whole host of nefarious threats.

“If sound application security processes are followed very early in the software development process, the cost incurred can be reduced,” he said.

More devices, more opportunities for cybercrime

Vemula emphasised just how different the world of app development and security is now, compared to several years ago. We are all using an array of devices to access information, opening up more opportunities for exploitation and data breaches.

“As the app development landscape keeps getting wider and deeper, people using their devices outside of company network, downloading software that is hosted on a cloud environment as well as the proliferation of the internet of things means this is a new paradigm in how development is done,” Vemula said.

Data breaches are evolving

Vemula added that “every bad agent in the world knows that applications are in the public domain”, so the motivation to hack them is that much higher.

He explained the need for a total change in how appsec is done: “Security is often after the fact, rather than doing a wholesale assessment of, ‘What is our philosophy around security as a company?’ and making risk assessments.”

He noted that a lot of these important factors can “get diluted or completely missed, depending on if you’re a small company who is under tremendous pressure to hit the market timeline, or a larger company with a distributed workforce, with a huge swathe of applications to support”.

For the latter, Vemula said that it’s relatively easy for these measures to slip through the cracks of a company security strategy. “There’s too many moving parts for you to get a grasp on, which results in vulnerabilities from unsecured coding practice.”

Follow app security controls closely

According to Vemula, most of the usual suspects that result in a hack or exploit are a result of not following fundamental appsec controls.

This is changing for the better, as he emphasised the embrace of DevOps as a strategy to introduce better and safer software. For Vemula, integrated and ongoing appsec strategy gives “excellent opportunities to bake in security, putting checks and balances, whether it’s running tests regularly or making sure your container security is well defined”.

A world where cybercrime is shapeshifting and evolving along with increased public awareness of infosec is creating something of a whistling kettle, he added. “When a breach happens, the risk is more damaging than the amount of time it takes for you to establish good processes.

“Once a breach happens, your customers are angry, there is damage to the reputation, loss of revenue. A lot of businesses don’t get a second chance if they lose customer data.”

He likened looking after the security of applications to someone’s own personal healthcare: “The earlier you diagnose, the better it is.”

Mitigation of risk, not elimination

As a realist with years of security experience, Vemula knows more than most that eliminating security risks in their entirety is an impossible task.

However, by looking at it on an individual basis, companies can mitigate a large amount of danger. “If you are small and have software that doesn’t store any sensitive data, your strategy is different to a company with a lot of apps storing credit card data – it’s a totally different ball game.”

According to Vemula, there are no excuses for a poor security strategy, or the absence of one entirely. “Irrespective of where you fall, you need to start with a baseline. A lot of the time, security is tagged on. People buy tools and slap security on and think they are safe.”

Identifying the characteristics of your application is paramount. Ask questions about the application yourself and ask your team: “Is it using open-source software? What languages are you using? Are the risks so high that it warrants a large investment? Can we develop in-house or buy software?”

From there, patterns can be identified. Look at cloud deployment: if you use a cloud provider for deploying apps or a docker as a container, then you can create a baseline that is applicable to everything. “This is where a company-level framework needs to be identified,” Vemula advised.

“If you are a CSO, it will give you confidence that you know you are covered for the most-recognised security flaws.”

Once the patterns are identified, metrics need to be collected, and learning from experience is vital. “If you get breached, then you bring back that experience into the baseline and improve it. Most of the time, it is about patching.”

Identifying the crucial baseline, conducting tech landscape audits and implementing tech modelling are things that should be of utmost importance. Teams can note threat vectors, and then take each vector and do a risk assessment on it.

Security is different for everyone, but the absence of a strategic approach from the start can prove costly, both in terms of the bottom line and your reputation.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com