• United States




How to keep cybercriminals out of your apps

Feb 27, 20154 mins
Mobile SecuritySecurity

Four ways to implement and maintain security testing.

Cybercriminals had a fantastic time in 2014 – breaching major retailers such as Home Depot and Kmart, major financial institutions (notably JPMorgan Chase), and a slew of smaller companies.

Indeed, cybercrimes are growing more common, more costly, and taking longer to resolve. Those are among the key findings of the fifth annual Cost of Cyber Crime Study conducted by the Ponemon Institute on behalf of HP Enterprise Security.

The 2014 global study of U.S.-based companies, which spanned seven nations, found that over the course of a year the average cost of cybercrime climbed by more than 9% to $12.7 million for companies in the United States, up from $11.6 million in the 2013 study. The average time to resolve a cyberattack is also rising, climbing to 45 days, up from 32 days in 2013.

How to protect your apps

Clearly, the need to protect apps (as well as network nodes, servers, and so on) has never been more crucial. For apps, the best approach is to integrate security testing into your development process – a process that is increasingly crafted around DevOps and Continuous Development.

DevOps is fundamentally a mindset about how best to bring together two completely different groups of IT people – the developers who create the applications and the IT operations who deploy and manage those applications.

The basic idea of DevOps is to break down barriers in the pursuit of creating excellent software. The idea of separate silos with developers, operations, testers, and management working in isolation, sometimes even in opposition, is dated and flawed.

Continuous Delivery (CD) is a software strategy that enables organizations to deliver new features to users as fast and efficiently as possible. The core idea of CD is to create a repeatable, reliable, and incrementally improving process for taking software from concept to customer.

The key to successfully implementing DevOps and CD is testing, including security testing. Code must be tested over and over before any software is released.

If companies fail to integrate security testing into the development process and make it part of the software development lifecycle, they face numerous problems. Top-of-mind: the expense of retro-fitting functionality that should have been there initially, and the pain of securing a hybrid system with legacy software not designed for modern security threats.

4 great ways to implement and maintain security testing

Automated testing enables the DevOps team to create a continuous delivery system in which new features can be rolled into live software as they are created. In terms of security, the testing should always be pro-active and thorough. To achieve those goals, companies should consider the following:

  • Implementing Secure Programming Education. Proper education can help programmers to best limit and test inputs, store minimum data, encrypt code, and so on – all with the goal of eliminating or minimizing security risks.
  • Adopting Interactive Application Security Testing (IAST). This enables companies to combine elements of static and dynamic techniques to run automated tests continuously on their software to see how it copes with malicious traffic. As IAST monitors data inside the application, it can pinpoint issues that might arise from real-world attacks, enable a useful assessment of the impact, and make it easier to remediate.
  • Hiring Security Analysts. These pros can properly configure your tools and interpret the results. You can buy the best security tools in the world, but you have to know how to leverage them and act on the data. An external analysis can provide real insights that will boost application security.
  • Using the Open Web Application Security Project. This is a great community where you can find innovative solutions to modern software security challenges. The community can help you to understand secure development standards and can provide you with invaluable resources and advice from experts around the globe.

Full-time InfoSec talent can mean the difference between mediocre software and excellent software

Security testing in your development pipeline should not be any more static than any other part of your dynamic process of creating and reviewing pipelines. Security must be continually reviewed and modernized to ensure it delivers optimum results.

By incorporating solid security foundations and processes into your application development lifecycle, you will protect every current and future software project. Such long-term planning not only makes financial sense, but it is highly likely to result in better quality software.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.