Following the recent DDoS attacks against Dyn, a growing legion of industry observers are highlighting the need to better incorporate security into application development. The application layer is often highly vulnerable to both insider threats and attacks from external adversaries. This susceptibility helps explain why increased investment is being funneled into this space.
The largest spending category for security in 2016 was skills, particularly for application and data security skills, according to a February 2016 IT Security Spending Trends report by SANS Institute. Nevertheless, greater effort is required by companies to protect their application and data assets.
A key challenge in addressing application security is that historically, a contentious relationship has existed between development and security teams, notes Mike Kail, Chief Innovation Officer at Cybric.
“Security is often associated with fear, uncertainty, and doubt. We need to be transparent about security and not scare people with it,” said Kail. “What’s important is how development and security teams can work together and start speaking a common language.”
One way of doing this, suggests Kail, is by creating a DevSecOps culture within the enterprise. “If you look at the culture of DevOps and its core tenets – collaboration, automation, measurement and sharing - we need to apply that to application development and security,” said Kail. Since most organizations don’t apply a continuous approach to application security, a DevSecOps methodology can help make application security an in-line strategy and include it as part of what developers focus on.
Developers are often reluctant to incorporate security into application development since they believe it hinders the process. However, automation tools can be used to incorporate security capabilities into each step of the app dev process, providing developers with a seamless way of integrating security measures into apps.
Bridging the application-security divide
One effective way to get app dev and security teams to work together toward shared objectives is by having a trusted leader serve as an intermediary who can clearly communicate goals and to orchestrate planning and collaboration between the two teams, said Kail.
“It’s always best to have air cover from the top and to lead by example,” said Kail. “The leader has to understand both practices at a pretty deep level, both from a cultural and technical standpoint.”
Since cyber security is top-of-mind for CEOs and board members, Kail said CISOs can educate executive teams on the application development lifecycle in layman’s terms and demonstrate the benefits that can be achieved over time with a DevSecOps mindset.
To communicate the company’s DevSecOps requirements, Kail recommends conveying the importance of having security integrated across platforms and services from beginning to end. “We don’t need to create more tools and hire more engineers to scale it out,” said Kail. “It’s about developing assurance instead of spending on insurance.”
Meanwhile, Kail advises conducting application testing on a continuous basis since hackers are unceasingly attacking companies’ app infrastructure. “Application testing is typically done manually on a quarterly basis and that’s simply not good enough,” said Kail. “If you want to run a marathon, you have to develop a program and stick to continuous training.”
To learn more about top cyber security trends and best practices, check out the upcoming San Francisco and New York CISO summits.