As the world increasingly moves to a digital format, cybersecurity is becoming more important than ever. It’s especially significant since, according to a recent survey by Sophos, 51% of businesses in America experienced a ransomware attack in 2020. That’s a staggering number of security vulnerabilities that truly shouldn’t exist in the modern day and age. Yet, it’s relatively understandable.
The push for apps hitting the market quickly has become a driving factor in a lot of development teams, and sometimes, that means that cybersecurity takes a back seat. In fact, this is why a lot of companies have begun adopting the DevOps model with the hope that they can not only overcome security and compliance challenges but also release a product within a tight deadline.
Fundamentally, the issue of application security is multi-faceted, with a variety of techniques, philosophies, and certifications that can be applied to make all applications safer.
For example, take the recent update to MITRE’s Common Weakness Enumeration (CWE), which itself was built on the incredibly popular ATT&CK Framework. Sponsored by the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the whole purpose is to categorize security weaknesses and vulnerabilities with the hope of understanding the specific flaws of each category and how to mitigate them. In fact, CWE has over 600 categories, with everything from buffer overflow to cross-site scripting and even race conditions.
This update couldn’t have come sooner, too, especially since some experts predict that cyberattacks will escalate given the massive increase in both remote work and the Internet of Things (IoT). This is exactly why cybersecurity understanding is not optional for these companies, as hacking tools are becoming more commonplace. It’s important that any tool that connects to the web has some form of cyber resilience.
In fact, it’s this distinction between cyber resilience and cybersecurity that companies often get wrong. It’s not a choice between one or the other, and it’s not enough to simply throw as many coding standards as possible at the problem. Instead, companies and developers must develop applications with cyber resilience in mind such as using Continuous Integration / Continuous Delivery (CI/CD) pipelines to code with fewer vulnerabilities or using more reliable web hosting.
Web & Cloud Security
As you can imagine, a lot of the modern world is hosted in the cloud, and therefore, cloud security plays a big part in ensuring that data stays safe. In fact, cloud-hosted application security has become a problem, especially since there often isn’t a cloud-specific DevSecOps person on hand to make sure that the application is safe from potential outside vulnerabilities.
Thankfully, there are security protocols ,such as the security compliance principles of the National Cyber Security Center (NCSC), which set out easy-to-follow rules on how to approach security for the cloud. Actions such as protection of data in transit, authentication, customer separation, and ensuring the customer is using the service securely are all basic concepts that can significantly increase cybersecurity and resilience.
Security responsibility also includes website security standards. There are several ways to protect and secure website infrastructure such as edge protection and using a secure web gateway.
What tends to interfere with better cybersecurity for websites are things like performance optimization, which may make a website more responsive. When done in the absence of a security mindset, this can be an approach that can lead to a lot of problems.
A major contributing factor to the lack of web security is the absence of overall availability and experience of developers in this field. In fact, according to a recent survey, nearly 60% of developers have less than five years of experience, which can sometimes make it difficult for companies to keep up with not only the most modern techniques but also some of the more skilled malicious actors out there.
The Importance of OWASP
Clear and simple standards are important when it applies to things like overly complicated code. Sometimes, in the drive to make sure that code is secure, developers might forget to also take into account the best practices of application development, especially considering the immense time pressures they are under.
This is where the Open Web Application Security Project (OWASP) becomes a valuable guide. OWASP is a set of strict guidelines and criteria for application security. The OWASP checklist helps developers more easily integrate the recommended security standards while also helping to avoid coding flaws that can compromise security.
While OWASP is quite large in terms of how it goes about ensuring standards, here’s a quick review at the different methods it uses:
- Output Encoding: Any information entered by a user has to be encoded before being committed since it is a possible vector for attack. This means output needs to be contextually sanitized using a standard testing routine. In fact, .Net Core has output encoding built-in.
- Input Validation: It’s important to make sure that data that is input by a user is valid and doesn’t allow for any form of attack. This often takes the form of checking against a variety of lists that make sure that input data is either secure or not going to lead to some form of injection attack.
- Session Management: Ensuring the ability to handle several connections to a web app at the same time is vital to security. This is where HTTP as well as other techniques such as generating new session IDs on re-authentication and having session inactivity timeouts play a role.
- Cryptographic Practices: As with anything on the web, it is extremely important to maintain strict confidentiality and integrity of the data. Good cryptographic practices including secure failing of cryptographic modules, policies for cryptographic key management, and the use of and implementation of a trusted system are essential to achieve this.
- Communication Security: Man-in-the-middle attacks are much too common, and this is where it’s important to make sure that not only is the data secure from outside interception but that it’s also easily understandable by the authorized receiver. Strong implementation of TLS is important along with the appropriate configuration of the protocol.
- Database Security: Valid database credentials and turning off unnecessary features are paramount to ensuring database security standards.
- Memory Management: With a variety of memory-leak-related security breaches recently, it’s important to keep memory at the forefront of security considerations. For example, a buffer-overflow can be a huge security hole, and the same applies to a reliance on ‘garbage collection’ such as connection objects and file handles.
Given that there is often a disconnect between the most recent technologies and current skill levels, it can be important to get back to the basics when it comes to programming and cybersecurity.
Keeping up to date with encryption standards is an important task that a lot of SecOps professionals might overlook or feel too busy to do. Similarly, keeping code simple is often something that more experienced developers tend to forget, and this can cause issues down the line for everybody involved.
Cybersecurity is a multi-faceted problem that is only getting worse as digital services continue to take over the world. That being said, it’s not necessarily the end of the world, and good cybersecurity is definitely achievable, especially with the easy availability of standards such as those offered through OWASP.
It’s also important to consider the specific skill set of security developers. Make sure to not only maintain their security credentials but to also help them to grow professionally. The aim is always to be innovative rather than reactionary when it comes to security.
About the Author: Gary Stevens is an IT specialist who is a part-time Ethereum dev working on open source projects for both QTUM and Loopring. He’s also a part-time blogger at Privacy Australia, where he discusses online safety and privacy.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.