Industry Observations-Technical Insight-Web Application Security

Digital Transformation = Application Security Program Transformation

What does Digital Transformation mean to most organisations?

Digital transformation as a concept has obviously been around for quite some time. It can mean different things to different organisations depending on their digital maturity, as it were. Traditionally for most organizations it probably means Internet-enabling your business, putting more core business systems and processes online, and wrapping Internet enabled user interfaces around them so that your employees or customers can access these systems when online. These changes can improve efficiencies and broaden your customer base through the added value and services that help you remain competitive and grow your business.

Organisations that are further down the path of digital transformation and more mature digitally are likely now focused on moving to the cloud, building more Software-as-a-Service capabilities, and developing IoT interfaces or applications for mobile platforms.

From a security and compliance perspective, any transformation brings additional challenges and opportunities. Security is a moving target and suddenly your attack surface just got bigger, more complex and maybe there’s a perceived lack of control? As a business owner or executive you may need to start to ask yourself some questions….

  • Are you managing and moving more core systems online?
  • Are you moving to cloud?
  • Do you know where your applications are?
  • Are you still dealing with legacy systems, and if so, how many and how mission-critical are the capabilities they support?
  • Are your applications managed by Security aware teams?
  • Should you re-architect for security or invest in robust security assessment?
  • Is Software Security Assessment your core expertise?
  • Are you building mobile applications, and if so, are they secure?
  • Should you build internal security expertise or hire the experts?
  • How quickly do you need to scale?
  • Are existing approaches working?

Digital transformation will usually also require security program transformation to ensure security practices evolve as your applications, application delivery and application estate evolves. It is a great opportunity to embrace new technology and practices and be more secure. Be aware that this might also mean transforming how your organisation allocates budget for security and where that budget is aligned, particularly with respect to application security.

Thankfully, cost effective and mature solutions which enable organisations to outsource their application security requirements exist. These solutions can help perform large scale, continuous security assessments against a broad range of application types at different stages of the SDLC with fully validated results. All without the need for organisations to necessarily skill up or grow internal security teams or manage complex tools and triage the output for false positives.

With many of these application security services, it is possible and prudent to use them to help build security in, rather than bolting it on. It’s important to look for security solutions which can operate in the context of how the applications are built. Allowing managed security controls to be integrated into the application development lifecycle, through to deployment and ongoing operations and maintenance is very important. So whether you build applications using Agile methodologies, outsource the development or are working to introduce DevOps practices, these solutions can be used to help build and deliver high quality, secure applications on time.

Tags: application security, Vulnerabilities, web application security, whitehat security