HCL Roundtable: Emerging AppSec Trends in 2021 and Beyond

In an era where data is more valuable than gold, cyberattacks in its multiple manifestations have dominated global headlines with account hijacking and injection attacks. Be it credential theft, brute force attacks, social engineering thefts or access control misconfiguration, the sophistication and damages are rising by the day. While the type of attackers may vary between ‘spray and pray’ opportunistic ones looking for easy pickings or high-profile targeted government espionagers, the business impact by these breaches is rummaging through to trillion of dollars.

The shift to a remote workforce in 2020 has highlighted the need for an approach to app development that has security built-in from inception. In the current digital landscape, security is essential to achieving business resiliency and maintaining quality while developing at the speed of DevOps. Prioritising speed without security in app development can lead to an uptick in critical vulnerabilities with disastrous results. To avoid this, organisations must address security earlier in the software development life cycle.

Cybersecurity Ventures¹ media notes several eye-opening statistics which puts into perspective the importance of security in the new normal. Cybercrime damage costs are predicted to hit $6 trillion annually by 2021 and ransomware attacks on healthcare organisations — often called the No. 1 cyber-attacked industry — expected to quadruple. Cybersecurity Ventures expects that a business will fall victim to a ransomware attack every 11 seconds in 2021, up from every 14 seconds in 2019. This makes ransomware the fastest growing type of cybercrime. The recent attacks by SolarWinds and FireEye underscores that no organisation is immune to threats and attacks. Attackers are looking for ways to evade IT attention, bypass defences, and exploit emerging weaknesses. The fallout from this attack will likely capture a large proportion of attention of governments and Fortune 500 cybersecurity teams in 2021 and will result in rollout of more stringent cybersecurity policies especially targeting supply chain vulnerabilities.

Security by design – in the DNA

A few hundred years ago, the Greeks, Romans and other mighty empires prided themselves on building impenetrable fortresses around their kingdom to protect themselves from outside invaders. There seems to be a similar theme when corporations in the 21^st century invest heavily in perimeter security to insulate their ‘business data’ empire from outside threats. To some extend this does protect attackers from infiltering, however with the advent of a new era of Apps and IoTs and now with an accelerated change to ways of working during a global pandemic, the concept of only having a best-in-class perimeter security has received a timely wake-up call.

“Application security is really a partnership. In the past years, security has often been seen as a silo. And what we’ve learned along the way is that we need to have better alignment between software development and the security that we’re trying to put into it. And we have to be able to build that in throughout versus trying to bolt it on at the end.”, notes Robert Cuddy, Global AppScan Evangelist, HCL Software.  He says “We need to understand and identify risk earlier when it’s easier to mitigate it and it certainly costs less to do that earlier in the process. That encompasses a whole gamut of things around visibility, reducing false positives – which we spend an awful lot of time doing, providing information for targeted remediation etc.” Cuddy observes that while we go with defence in depth and put in firewalls, network security and identity access management among a host of other things, organisations have to think both ‘outside-in’ and ‘inside-out’ which is where the application security piece comes into effect.

In his insightful blog² Cuddy, rightfully observes that Security needs to be a business enabler, not just a gatekeeper. That means the Security professional needs to have alignment to the business. He goes on to explain that when great security practices are well-integrated throughout the software development lifecycle (SDLC), and meaningful, actionable feedback is provided to teams at all stages then risk is better monitored, managed, minimised and mitigated.

Security is a fundamentally foundational need that everyone involved in developing software has to embrace. This starts with developers and QA who have to provide data on whether a software or app can be made secure before committing to a release. The DevSecOps team must actively identify and manage risk through proactive planning, developing agile methods for continuous testing and making security a part of the overall product strategy. How to achieve Agile AppSec requires a focus on usability and accessibility to ensure the end user experience is functional, intuitive, and secure. The DevSecOps team must enable continuous testing and incorporate security as part of the process from design, development, through testing, and into the DevOps cycle.

Thinking like a hacker is probably the best way to do threat modelling to create mitigation strategies and security controls. Some of the usual threats to applications are broken authentication and session management, cross-site scripting (XSS), security misconfiguration, injection, cross-site request forgery (CSRF) etc. Being compliant, contrary to popular beliefs, does not make the environment ‘secure’. In fact, there is sometimes a false sense of security when compliance is not achieved with the right context of risk and threat mitigation.

False Positives – numbers that hurt

The levels of sophistication and pace of attacks by malicious actors are increasing rapidly and security teams are doing their best to respond and recover from these attacks. The problem that analysts are facing are high volumes of alerts and noises which might more often than not be a false positive. A whitepaper³ by Netsparker finds that eventually developers and testers lose faith in vulnerability scanners that generate false alarms, and they begin to ignore a whole class of problems over which the scanner triggers false alarms. A vulnerability report means additional work, say 2-3 problems are reported as false alarms by certain tools, and human nature dictates that everyone starts ticking boxes and making mistakes, going so far as to consider a single false alarm as a huge problem of magnitude. Worse, if one of the remaining problems is a critical vulnerability that goes unnoticed, it will send a flood of false alarms into production without being caught and repaired, at high cost for later manual testing.

However, when dealing with a false positive, a lot more testing can be necessary until the developer decides that it’s a false alarm. Crucially, someone has to take personal responsibility for ruling against the scanner and signing off code where potentially serious issues have been flagged as false alarms.

In an agile development environment, automation is king – and manual security processes are not a feasible option at scale. DevOps and CI/CD teams rely on their automated tools to do the legwork so they can focus on tasks that require the creativity and problem-solving skills of highly qualified specialists. False positives in vulnerability testing can force testers and developers to put their streamlined automated processes on hold and laboriously review each false alarm just like a real vulnerability.

False positives can also be detrimental to team dynamics. Every time the security team reports a vulnerability, the developers have extra work investigating and fixing the issue, so reliability and mutual trust are crucial to maintaining good relations. This makes false alarms particularly aggravating, and if the vulnerability scan results burden the developers with unnecessary workloads, the working relationship may quickly turn sour. The dev team may start treating the security people as irritating timewasters, leading to an “us vs. them” mentality – with disastrous consequences for collaboration and the entire software development lifecycle.

The National Institute of Standards & Technology (NIST) conducted a series of studies on the effectiveness of Static Application Security Testing (SAST) tools. The study⁴ revealed that on average, AppSec tools have a false positive rate of an astonishing 30% of which another 36% was insignificant. False positives have been identified as one of the leading obstacles to implementing tools, with 90% of developers willing to accept false positives at a rate of 5%. The false positive issue creates an obstacle to the introduction of AppSec tools for developers.

Nuggets for thought

Some guidelines to best practices in AppSec⁵ noted by CBTnuggets are shared below and these can be evolved to best suit the needs of your organisation in the ever changing fast and furious world of Information Technology:

1. Follow secure coding practices
2. Enforce minimum permissions
3. Automate security functions
4. Testing! Testing! Testing!
5. Patch your web servers
6. Inspect all traffic
7. Encrypt everything
8. Learn about new vulnerabilities
9. Focus on key threats
10. Create a plan

When it comes to advancing DevOps practices and patterns for enterprises, human transformation is the most critical success factor. According to Jayne Groll, CEO of the DevOps Institute and author of the 2020 Upskilling Report⁶, “With the rise of hybrid (remote/in-office) product teams, upskilling and online training initiatives will expand. As the pressure continues to rise to sell products and services through e-commerce sites, apps, or SaaS solutions, the lines between product and engineering teams will rapidly blur, giving rise to cross-functional, multidisciplinary teams that must learn and grow together. Each member will need to develop a wider combination of process skills, soft skills, automation skills, functional knowledge, and business knowledge, while maintaining deep competency in their focus areas. Product and engineering teams will be measured on customer value delivered, rather than just features or products created “. He continues to explain that traditional upskilling and talent development approaches won’t be enough for enterprises to remain competitive because the increasing demand for IT professionals with core human skills is escalating to a point that business leaders have not yet seen in their lifetime. This beckons an update for our humans through new skill sets as often, and with the same focus, as our technology.

References

1. Cybersecurity Ventures¹ – Cybersecurity Ventures article
2. insightful blog² – Blog on the new security employee
3. Whitepaper³ by Netsparker
4. The study⁴ – by National Institute of Standards & Technology (NIST)
5. best practices in AppSec⁵ – by CBTnuggets
6. 2020 Upskilling Report⁶ – Report by DevOps Institute