Topics In Demand
Notification
New

No notification found.

First Principles of Application Security that define Success
First Principles of Application Security that define Success

9967

2

In continuous efforts by businesses to gain an edge over competition, they are incorporating features and enhancements as part of the value offerings and application development teams are playing a crucial role in helping achieve it.

 This entails accelerated development and release cycles with more focus on functionality and performance. And unfortunately, in this frenzy, security requirements are de-prioritized in most cases unless the organization is mature enough to incorporate security controls in the development pipeline itself. Adoption of newer technologies, such as containers, micro-services, cloud computing and server-less functions, further adds complexity to this landscape as more number of smaller pieces of software/applications coexist to deliver the required business functionality with multiple levels of dependencies. 

While the businesses continue to do their jobs, a set of disruptors or malicious actors are constantly finding ways to breach these systems. Attempts by these disruptors or cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Hence organizations have to deploy enough resources to both innovate and keep these disruptors at bay. Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, and attackers are becoming more innovative. With accelerated development effort, constantly changing technology eco-system, this becomes a hard problem to solve. The only way to stay ahead of the curve is to find automated ways for early vulnerabilities detection to tackle these challenges to improve application security.

First Principles

While there are several articles written on the topic of application security threat vectors, tools and technologies, this article would focus on the first principles that the security teams could rely on for an effective application security program.

Create Awareness: This is the most important step of any successful program. Creating awareness sets the stage where security teams can gather feedback, foster participative management, set a stage for questions being asked, spark ideas and most importantly clarify as to why they are doing it in the first place. By not giving this step the due importance, teams risk the program being looked at as yet another make-work project or, worse yet, not being able to articulate how it truly links to the strategic plan and direction. 

Simplify Adoption: Application Teams are focused on delivering value to businesses, their focus is not on security and its complexities. In order to help them adopt security best practices is to "simplify" implementations. The idea here is, that the bulk of the heavy lifting, a.k.a implementations, are done by the security teams and application teams are supposed to then include those implementations, as applicable, as part of their pipelines or code bases. This way the teams are abstracted away from the nitty-gritty of implementation and can continue to focus on their core activities without distractions.

Measure Everything: A quote often attributed to Peter Drucker says, "You cannot improve what you do not measure". Once the implementation details are shared with the application teams, there should be a constant endeavor to measure the adoption. These measured indicators could give insights into several other details e.g., if the adoption is lagging, it could be because of lack of awareness or understanding. It could also be because of complex implementation. In both these cases, inferences can be drawn, and corrective actions can be taken to further improve the adoption. 

Listen to feedback: Listening to application teams’ feedback is not just hearing about the challenges faced by the teams, listening is about connecting with them. It involves paying close attention to their needs and understanding how Security and Application teams can help each other in achieving common goals of a more secure eco-system. To that end, there exists a need to make providing feedback easy, use various tools like open-offices or survey links etc. If one is talking the survey route, it should be designed to ask the right questions which help improve the overall process holistically. Once the feedback is taken, it is equally important to communicate back to the teams as what to changes have been made based on their feedback.

There is common knowledge that there are three pillars of Cyber Security model i.e. People, Process and Technology. No other practice brings it to the fore as an application security program does, it has an involvement of all of these pillars in equal measure, as has also been detailed in the above sections. All of those facets need constant focus and fine-tuning. Despite all the modern security tools and technologies at our disposal, not paying attention to either of these first principles, which in turn are based on people, process and technology, an organization might risk failure in its attempt to create an effective and successful application security program.  

By Nikunj Radhu, Principal Architect - Information Security, Lowe’s India


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


© Copyright nasscom. All Rights Reserved.