How to keep cybercriminals out of your apps

Cybercriminals had a fantastic time in 2014 – breaching major retailers such as Home Depot and Kmart, major financial institutions (notably JPMorgan Chase), and a slew of smaller companies.

Indeed, cybercrimes are growing more common, more costly, and taking longer to resolve. Those are among the key findings of the fifth annual Cost of Cyber Crime Study conducted by the Ponemon Institute on behalf of HP Enterprise Security.

The 2014 global study of U.S.-based companies, which spanned seven nations, found that over the course of a year the average cost of cybercrime climbed by more than 9% to $12.7 million for companies in the United States, up from $11.6 million in the 2013 study. The average time to resolve a cyberattack is also rising, climbing to 45 days, up from 32 days in 2013.

How to protect your apps

Clearly, the need to protect apps (as well as network nodes, servers, and so on) has never been more crucial. For apps, the best approach is to integrate security testing into your development process – a process that is increasingly crafted around DevOps and Continuous Development.

DevOps is fundamentally a mindset about how best to bring together two completely different groups of IT people – the developers who create the applications and the IT operations who deploy and manage those applications.

The basic idea of DevOps is to break down barriers in the pursuit of creating excellent software. The idea of separate silos with developers, operations, testers, and management working in isolation, sometimes even in opposition, is dated and flawed.

Continuous Delivery (CD) is a software strategy that enables organizations to deliver new features to users as fast and efficiently as possible. The core idea of CD is to create a repeatable, reliable, and incrementally improving process for taking software from concept to customer.

The key to successfully implementing DevOps and CD is testing, including security testing. Code must be tested over and over before any software is released.

If companies fail to integrate security testing into the development process and make it part of the software development lifecycle, they face numerous problems. Top-of-mind: the expense of retro-fitting functionality that should have been there initially, and the pain of securing a hybrid system with legacy software not designed for modern security threats.

4 great ways to implement and maintain security testing

Automated testing enables the DevOps team to create a continuous delivery system in which new features can be rolled into live software as they are created. In terms of security, the testing should always be pro-active and thorough. To achieve those goals, companies should consider the following:

• Implementing Secure Programming Education. Proper education can help programmers to best limit and test inputs, store minimum data, encrypt code, and so on – all with the goal of eliminating or minimizing security risks.
• Adopting Interactive Application Security Testing (IAST). This enables companies to combine elements of static and dynamic techniques to run automated tests continuously on their software to see how it copes with malicious traffic. As IAST monitors data inside the application, it can pinpoint issues that might arise from real-world attacks, enable a useful assessment of the impact, and make it easier to remediate.
• Hiring Security Analysts. These pros can properly configure your tools and interpret the results. You can buy the best security tools in the world, but you have to know how to leverage them and act on the data. An external analysis can provide real insights that will boost application security.
• Using the Open Web Application Security Project. This is a great community where you can find innovative solutions to modern software security challenges. The community can help you to understand secure development standards and can provide you with invaluable resources and advice from experts around the globe.

Full-time InfoSec talent can mean the difference between mediocre software and excellent software

Security testing in your development pipeline should not be any more static than any other part of your dynamic process of creating and reviewing pipelines. Security must be continually reviewed and modernized to ensure it delivers optimum results.

By incorporating solid security foundations and processes into your application development lifecycle, you will protect every current and future software project. Such long-term planning not only makes financial sense, but it is highly likely to result in better quality software.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.