Aug 22, 2018
When you’re looking to improve application security in your organisation, you need to consider the applications you use as well as the applications you develop. Today, I’m looking at nine things you can do to improve your application security.
1) Only Use Supported Software
For all the software that your organisation uses, make sure that the version you’re using is still regularly updated, supported and patched by the vendor. Outdated software quickly becomes vulnerable to new threats and attacks, so if it’s no longer supported you will need to update to the current version and install all relevant security patches as recommended by the vendor.
2) Assess the Security of New Software
When choosing new software for your organisation, make sure that it follows security best practices such as SSL encryption, robust permissions systems, and compliance with industry security standards.
3) Examine the Security History of New Software
This will provide you with insight into the vendor’s security process. You can find out about the software’s history of vulnerabilities, how (and how quickly) customers were notified, and how the vulnerabilities were patched or remedied.
4) Deploy Web Application Firewalls (WAFs)
These inspect all traffic flowing to web applications for common attacks, such as cross-site scripting, SQL injection and command injection. Deploying a WAF will protect web applications against some of the most common security attacks and help to safeguard your organisation’s data.
5) Test for Common Security Weaknesses
You should implement a procedure for testing both software you’ve developed in-house and software you’ve acquired for common security weaknesses (such as those outlined by the OWASP Top 10) using automated remote web application scanners. Testing should take place before deployment, as well as whenever updates are made to the application, and on a regular recurring basis.
6) Test for Coding Errors in Developed Software
Integrating peer review into the software development process will help to identify vulnerabilities as early as possible. You should also use static code analysis software, as well as manual inspection, to identify coding errors and potential vulnerabilities in the software your organisation develops.
7) Secure the Software Development Lifecycle (SDLC)
By integrating security measures into each stage of the SDLC you reduce the likelihood of critical vulnerabilities making it into the finished application. As well as security benefits, this also has a financial benefit for your organisation: the sooner a problem can be detected, the cheaper it is to fix. It’s 30x more expensive to fix a vulnerability during post-production than during the requirements or design stages.
8) Inventory All Software
It’s vital that you keep track of all approved software being used by your organisation so you can keep it updated. Additionally, shadow IT (the use of unauthorised applications within an organisation’s IT network) is a growing security concern as it creates security blind spots – parts of your network operating outside the knowledge of your IT team. Shadow IT most commonly manifests when employees install their preferred applications onto their device without making the IT department aware. This can create vulnerabilities through which data breaches can occur, which will affect the whole of your organisation’s network. Therefore, you should also identify unauthorised software being used by your employees to minimise the risks associated with shadow IT.
9) Provide Staff Training
Security training is crucial to improving application security. Your software developers should receive training to learn the best practices of secure vulnerabilities. It’s essential for developer security training to be role-specific, to provide maximum benefit for your developers and your organisation.