Ensuring Security Governance in Application Development

In today’s competitive world, optimizing operations and being agile are key to maximizing revenues. To accomplish this, businesses have turned to applications that drastically enhance workforce productivity and turn employee efforts into significant outcomes. Because of the fast-paced nature of business, during application development, the priority is to go live as soon as possible which may lead to IT teams overlooking critical issues. With cybersecurity incidents costing businesses in excess of $45 billion in 2018, there’s clear need to secure applications.
Major challenges
Commonly, organizations focus more on securing the perimeter network and implement protection mechanism like firewalls, IPS, etc. But application security, which drives core business services, is neglected. We have seen that this is just at true of large to medium businesses as it is of small companies. So, why is security not considered as a priority in the application development process?
Below are some challenges faced by organizations which may lead to security being neglected in the application development lifecycle.

• Absence of Information security function in the organization
• Absence of Application security policy and framework
• Lack of security skills, training and awareness
• Weak application design and change control process
• Insufficient application testing due to tight timeline
• Inappropriate source code versioning and protection
• Weak control gates before moving application to production

Failing to address these challenges increases the probability of application compromise and vulnerable systems being moved in to production. This in turn can increase the risk to organizations in terms of financial, customer confidence and reputational losses.
Attackers can potentially exploit many different paths through your application to do harm to your business. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention. Below is the example of an attack path:

Figure 1: Reference from Owasp.org

These application attacks are mainly possible due to known vulnerabilities and zero days i.e. unknown system weakness. This occurs because security controls are not implemented or tested appropriately before moving source code into production environments. Known applications vulnerabilities identified by OWASP, also show that the weaknesses which provide attackers ease of exploitation, have been present and barely changed in the past years.

Figure 2: Reference from Owasp.org

What is the solution?
The answer to address these challenges is to implement Secure Software Development Life Cycle (SSDLC) by establishing an application security governance program within the organization. In addition to enhancing your organization’s security posture, this will also contribute to reducing the costs associated with debugging and securing the applications at a later stage.
This program mainly contains the following elements:

• Identify current application development process gaps
• Develop Application security objectives and roadmap
• Establish application security policy
• Establish application security framework – that includes below processes
  • Risk assessment
  • Security requirements
  • Security architecture
  • Security testing
  • Source code protection
• Develop application security measurement criteria
• Conduct periodic secure coding awareness for application developers
• Source reviews, application assessments and application security audits

The defined processes need to be integrated into every stage of the application development lifecycle. A Secure SDLC process also ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort.
SDLC Process

Secure SDLC Process

Help AG Service Offering
Our Cybersecurity Consulting team has years of experience in understanding client challenges in the application security domain. They have successfully established security governance programs for various organizations in the UAE and have helped these organizations address application security governance related risks. Moreover, our Security Analysis team, who are avid developers at heart, are helping organizations mitigate application security risks by conducting technical assessments of applications and static/dynamic source code assessments prior to going live.
At the end of the day, while businesses rely heavily on applications, these need to be developed with a long-term strategy in mind. Delivering easy-to-use applications won’t win any points if they place sensitive corporate or customer data at risk. Addressing the application development challenges is essential and the SSDLC is a powerful tool to achieving this. And of course, Help AG’s teams are ready to help you wield this tool to maximum positive effect.