In this blog post
New Challenges in Application Security
Businesses today are having to cater to an increasing demand for always-on, reliable, and secure application services to meet internal and customer expectations. With constantly fluctuating market needs, there is also the need for rapid, iterative development and deployment of applications in production. All of this has necessitated the use of models that help automate development and deployment processes efficiently. In this context, from an application security point of view, several new challenges and risks arise. As a result, solutions that offer greater visibility and control over vulnerabilities and attacks throughout the application life cycle are gaining significant importance.
GAVS recently conducted a webinar in collaboration with Hdiv Security, that focused on DevSecOps and how the new IAST (Interactive Application Security Testing) and RASP (Runtime Application Self-Protection) approaches can help security teams detect vulnerabilities in on-premise and cloud applications in real-time and protect their integrity even in case of infrastructure compromise.
The first panelist was Daniel Lopez Perez. He is currently the Sales Director at Hdiv Security, a pioneer in enabling application self-protection. Hdiv is the first product in its class, offering protection against security bugs and business logic flaws throughout the Software Development Lifecycle (SDLC). Daniel has over 20 years of international experience in sales, presales, and consultancy roles, in the networking and cyber security space.
Kannan Srinivasan, Head of Cyber Security Practice at GAVS Technologies, joined as our second panelist. He has over 21 years of experience and has handled multiple large cyber security transformation engagements for various clients across BFSI and Healthcare. He is a subject matter expert in DevSecOps, cloud security, infra security including SOC, vulnerability management, GRC, IDAM, Managed Security Services (MSS), and data protection & privacy.
This blog captures some of the key discussion points and takeaways from the webinar. The link to the entire webinar is available at the end of the blog.
Software Product Security – The Current Market Situation
Recently, British Airways was fined 20 million pounds for a data breach. Similarly, critical SQL injection vulnerability exposed approximately one million financial records stored in a Starbucks enterprise database. These are just two examples of the rising security and operational issues due to the increasing adoption of technology across industries. Broadly, four main factors contribute to the growing concerns of data security:
- Too many legacy and unreliable tools leading to fragmented view of threat landscape
- Vulnerable applications due to unidentified flaws during testing
- Significant time spent on manual application security testing
- No real-time protection for applications in the production environment
Today, Application Security (AppSec) is evolving into DevSecOps. DevSecOps essentially uses integrated tools within the development toolchain, including automated policy enforcement. It also provides security guardrails that help teams to maximize security and velocity. A recent survey of 250 organizations in the USA and UK states that 75% have adopted DevSecOps. This growth can be attributed to DevSecOps’ ability to offer security, quality, and resilience while offering a 30% faster time to market. The rise of DevSecOps is also a direct result of:
- The constant change in threat vectors
- Adoption of DevOps with the need for security testing at each step
- An increase in microservices and containers due to demands for highly scalable applications that share functionalities has brought in a lot of additional complexities
- Rising cloud adoption increases the risk of vulnerabilities and security flaws within applications
It is estimated that by 2022, 90% of software projects will use DevOps practices. It is also predicted that security testing will become a norm at every stage of CI/CD, while code and run time also need mandatory testing.
Evolving Application Security Testing (AST)
The current security state reinstates the need for organizations to be aware of vulnerabilities such as SQL injections and advanced security threats. Although a Web Application Firewall (WAF) is considered a security measure, it does not protect organizations from a host of vulnerabilities, including Non-HTTP attacks, attacks from internal sources, IDOR, SSRF, untrusted deserialization, or padding oracle.
‘The State of Application Security 2020’ by Forrester reports that Interactive Application Security Testing (IAST) overtakes DAST in the development phase. IAST adopts a ‘Code-Build-Test-Deploy-Operate’ approach that helps organizations identify issues before the launch of an application and resolve security errors that arise due to any business logic flaws. Reportedly, 32% of global security decision-makers implement IAST in the development phase while 35% implement DAST in the development phase. The main difference of IAST from SAST and DAST is that it operates inside the application. IAST accesses a broad range of data, compared to source code or HTTP scanning, thus offering the following benefits:
- Continuous vulnerability detection
- One solution for development, quality assurance, security teams
- No false positives
- Third-party vulnerability detection
- Integrated seamlessly into the DevOps toolchain
To make a robust security system, organizations are also focusing on Runtime Application Self-Protection (RASP). RASP incorporates security into a running application. RASP intercepts all calls made from the app to the system, ensuring their source for security, and validates data requests directly inside the app. RASP protects applications and APIs against attacks and offers various benefits, including:
- Higher protection from various types of attack
- Dramatic reduction of false positives
- Ease of maintenance
- Adaptable to new standards (JSON etc.)
- Adaptable to cloud and DevSecOps
- Defined perimeter
You can watch the entire webinar here, which includes poll questions, discussion of real use cases, live demo of the product, and the experts taking on audience questions.
GAVS routinely organizes insightful webinars with GAVS’ tech leaders, the leadership team, and industry thought leaders to explore current and emerging trends. To watch all our webinar recordings, please visit https://www.gavstech.com/videos/.