Governments around the world are making efforts to help businesses secure their digital landscape. The UK’s digital strategy places a strong emphasis on security; however, despite these initiatives, many organisations are still facing an elevated cyber risk.
In fact, 88 percent of organisations worldwide have suffered at least one breach in the past year due to vulnerable code, highlighting the need to put in more measures to secure code and re-evaluate the current state of application security (AppSec).
We asked Sandeep Johri, CEO of Checkmarx about the importance of ensuring that AppSec is a strategic priority for organisations.
What role does AppSec play in today’s digital world, especially in the face of the alarming rate of breaches due to vulnerable code?
It’s encouraging that CEOs and board members are now more aware of AppSec, which was confirmed by 51 percent of the CISOs we surveyed recently.
The public sector, in particular, is under constant pressure to reduce costs and a programme of digital transformation across government departments both at local and national level is helping to achieve greater efficiencies and drive savings. For example, an online self-service portal has helped the London Borough of Hammersmith and Fulham save £1.15 million annually.
Software development and the need for greater consolidation across platforms is at the heart of many of these initiatives and, as such, many organisations are adopting a ‘DevSecOps’ approach, which brings security to the centre of the development process. But let’s be clear, simply adding security into the DevOps equation doesn’t automatically make your software bulletproof.
Requesting collaboration from partners as a first step to building a wider understanding on software resilience and security for businesses and organisations, the UK Government has called for views on protecting digital spaces, in an attempt to ensure that users and companies feel confident using modern technologies. This can be achieved if the technology in question is secured. Software security plays an important role here as it not only underpins the operational functions of all the devices but also overlooks how the devices communicate in an interconnected landscape.
With recent security incidents such as the Log4j vulnerability making headlines due to the devastating impact of insecure code, securing software has become a crucial operation in ensuring cyber resilience. Gaining threat intelligence to ensure that malicious code does not infect an organisation’s network is paramount.
In the ever-evolving landscape of software development, it’s essential to embed features like static analysis, software composition analysis, API security scans, infrastructure as code scans, and open-source supply chain attack intel into the tools used – SCMs, IDEs, CI/CD tools, and so on. In addition, government cybersecurity agencies have begun calling for the use of SBOMs or software bills of materials, which are nested lists of all components, including the oft-targeted open source code components, within an application. This multifaceted AppSec approach not only increases the security of applications making it to production but also ensures it’s secure at all stages – before, during, and post-deployment.
We’ve found that about 42 percent of software developers recognise the need to run security scans early and frequently in the development cycle. They report that an alarming 60 percent of vulnerabilities are detected during the code, build, or test phases, while 40 percent are discovered during the production phase. It’s encouraging to see organisations initiating scans earlier, but it’s equally important to realise that these scans can’t be limited to just a few stages. To bolster your application security, AppSec tests must be incorporated throughout the software development life cycle (SDLC).
How can public sector organisations implement a robust AppSec program to drive efficiencies and enhance digital capabilities?
When it comes to crafting a solid AppSec programme, a paradigm shift is key. The traditional concept of ‘shifting left’—implementing security measures early in the development process—is certainly still effective, but it doesn’t quite succeed in our multifaceted digital era with ever shorter software cycles. The new mantra we need to live by is ‘shift everywhere.’
Shift Everywhere is all about integrating security into every single step of the application lifecycle—from its inception and development to its deployment and ongoing maintenance. It’s about fostering a culture, where each person involved, whether they’re a developer, a member of operations, or part of the security team, carries the banner of AppSec.
This fresh perspective demands a well-rounded AppSec programme that champions ongoing learning and training for developers, implements regular security testing, and utilises automated tools for identifying and remediating vulnerabilities. In addition, it encourages a culture of collaboration between development, security, and operations teams.
A mature AppSec programme doesn’t view security as a one-and-done event. Instead, it sees it as a process that requires continuous monitoring and updates to keep abreast of the latest threats and vulnerabilities. It’s also important to equip developers with effective Application Risk Management solutions that can provide risk prioritisation guidance.
For organisations that already have a well-established AppSec programme, evaluating its maturity using a comprehensive APMA (AppSec Program Methodology and Assessment) framework is crucial. This approach aids businesses in identifying any chinks in their current programme’s armour and plotting the necessary steps to strengthen their security posture.
How can public sector organisations overcome AppSec implementation challenges fostering shared responsibility?
There’s no doubt that digital transformation can deliver both cost and efficiency gains. For instance, the London Borough of Hillingdon saved £750,000 a year by switching to Google Apps. However, transformation projects and cloud-native deployments introduce additional risks as applications designed for the cloud have a variety of different codes, such as container and API code. These codes must be secured during each phase of the SDLC.
Our research shows that most businesses recognise the significance of AppSec to address these risks, but they’re still grappling with its effective deployment. Missteps in this area can result in serious incidents, including data breaches and considerable financial losses.
An effective approach is to create a sense of responsibility with the development teams themselves, such as through ‘security champion programmes.’ This could involve rallying a team of developers to serve as intermediaries between AppSec and development teams, nurturing a ‘shared responsibility’ ethos for application security.
Adopting this approach allows organisations to enable their developers to be the custodians of their applications’ security. This amplifies the security of the applications and fosters an environment of perpetual learning that means teams stay abreast of the latest trends – and one step ahead of attackers.
Given the ever-changing threat landscape, we need to recalibrate our approach to application security and ensure that there is no ambiguity in where the responsibilities for the security of software lies.