Jul 31, 2018
Organisations go to great lengths to improve their information security, and achieve compliance with the UK’s myriad regulations and industry standards, whether PCI DSS, the Data Protection Act, the Companies Act or ISO 2700x. These standards all share the same trait (aside from the overuse of acronyms): they’re all changing to address the threat posed by application security. To reduce your compliance risk, you need to do the same.
The Importance of Application Security in Achieving Compliance
Insecure applications have fast become the biggest source of data breaches, with application vulnerabilities reported almost four times as frequently as browser and OS vulnerabilities combined. Unsurprisingly, regulators and industry standards bodies are beginning to tailor their compliance requirements to mitigate the threat. Now more than ever, your organisation’s application security has a very real impact on compliance – and in order to fully comply with the likes of the latest PCI legislation, your organisation has to improve its application security. Thankfully, application security training can be adopted in an efficient, cost-effective way. In doing so, you’ll be able to kill two birds with one stone: protecting your sensitive data from prying eyes, and reducing your organisation’s compliance risk.
“The latest version of PCI DSS requires organizations to “develop applications based on secure coding guidelines”, prevent coding vulnerabilities, and follow secure coding standards.”
6 Ways to Align Software Development with Compliance Requirements
1) Basic Security Awareness Training
Effective application security starts with basic security awareness. All members of the software development team, and select members of the compliance team, need to get to grips with the basic tenets of security: helping them understand the need for improved security, as well as the best ways to achieve it.
2) Threat Modelling and Securing the SDLC
Managers and architects need to take their training a step further, and engage in role-specific security awareness modules, including threat modelling, architecture risk analysis and strategies for securing every stage of the SDLC.
3) Defensive Coding
Most of the vulnerabilities that make it into finished applications can be detected and remediated early-on in the software development lifecycle. In order to do so, it’s important to stem vulnerabilities at the source, and offer developers language- and role-specific training – teaching them the tenets of defensive coding in their own speciality, be it Java, PHP or C++.
4) Security Software Training
Both static and dynamic testing tools can be huge assets in the fight for improved compliance and application security – but only if they’re used effectively. In order to prevent your expensive security investments from sitting unused and gathering dust, it’s essential to train software engineers to use them properly – allowing them to weed out the false positives, and identify the real threats to compliance.
5) Secure Failure and Effective Reporting
Attacks are inevitable, and your ability to comply with regulation extends further than your ability to repel attacks – you also need to deal with successful attacks in a safe and effective way. This means learning how to code software to fail securely, and developing standardised processes for the identification and reporting of successful data breaches.
6) Compliance-specific Application Security Courses
There are certain compliance standards that cause real headaches for organisations, including Payment Card Industry Data Security Standards (PCI DSS).When adhering to particular standards plays such a huge part of managing your organisation’s compliance risk, it can be incredibly helpful to send key personnel on standard-specific training courses – allowing them to understand the ins and outs of the most important compliance risks facing your organisation.