Application Security Begins at Planning

application security planning

Why Application Security Should Begin at Planning

As cybersecurity threats become more potent and prevalent, the need to make apps more secure by identifying and fixing vulnerabilities and enhancing their security is critical.

Application security has been getting more attention lately, especially after the Veracode “State of Software Security Vol. 10” report revealed that 83 percent of the 85,000 applications they tested had at least one security flaw.

Other apps had much more, with 20 percent of all apps identified as having at least one high severity flaw. In total, Veracode found 10 million flaws in this particular research, although not all of those flaws posed a significant security risk. However, the numbers generated remain troubling.

The Veracode report identified the most common types of flaws, and these are as follows:

  • Information leakage (64%)
  • Cryptographic issues (62%)
  • CRLF injection (61%)
  • Code quality (56%)
  • Insufficient input validation (48%)
  • Cross-site scripting (47%)
  • Directory traversal (46%)
  • Credentials management (45%)

These percentages indicate that cybercriminals intent on taking advantage of app vulnerabilities can do so in any number of ways. This is why the faster and sooner you or your team can find and address security issues in the process of software development, the safer your enterprise will be.

Everything starts with planning

App development involves specific steps, from concept to production and deployment. It is a complex process which can entail more back-and-forths than are necessary if you do not devote enough time for planning. Thinking ahead will not only help move your project along more efficiently but also ensure that you don’t end up discovering more flaws (bugs) in your app after launching it on the market.

While you may be excited about the prospect of going live, there are absolutely no steps to be skipped in the application development lifecycle. Integrating security in app development involves a process of negotiation involving policy, risk and development requirements.

For example, during the initial review phase, the security team or consultants assess initial risks. But they should also be working with the development team to understand possible risk exposures in the process of app development.

During the definition phase where developers begin threat modeling to identify critical aspects of apps that deal with sensitive data, security teams should also work with the developers to come up with mitigation strategies for identified vulnerabilities.

Security consultants must take it upon themselves to foresee possible threats to the software by employing a combination of use and misuse cases. They also need to conduct a security risk assessment and create a risk profile based on security guidelines set by authoritative sources, such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX) and the Open Web Application Security Project (OWASP) guidelines, whichever is specific to your business or product domain.

This security-focused approach should continue as the process of app development advances to the next stages: design, development, code review, risk assessment, testing (including penetration testing), risk mitigation, benchmarking, production, post-production and maintenance.

The need to focus on security cannot be underscored enough in the entire app development process. You have to go beyond identifying common application development security errors and meticulously locate what could be tiny yet significant flaws that can open your app to irreparable damage in the future.

In effect, by cleaning up possible messes as early as possible, you can save your company from more complicated and costly issues down the line.

Emory Vandiver

Emory Vandiver is the Vice President of Business Operations and a Partner at Interactive Security, where he is responsible for executing the company's strategy as a premier IT Security and Compliance provider. For over 20 years Emory has worked for leading enterprises across a diverse cross section of the information technology industry. His professional passion lies in understanding client business goals, challenging the status quo and leveraging technology-based solutions to maximize client performance. He strives to bring unique insight and value to his clients' businesses, along with a superior customer experience.