Our CEO, Craig Hinkley, and our VP of Strategy, Setu Kulkarni, kicked off our support for National Cybersecurity Awareness Month (NCSAM) on October first with an engaging webinar that dives into the critical issues we can all relate to, especially now. In Bridge Your Executive Team’s AppSec Anxieties, they review the current security climate, provide real answers to how to navigate the added stress this climate brings to CISOs and security teams, and easy ways to improve your application security posture.
Web and mobile applications are the engines that fuel our digital economy. What’s different today is the speed at which applications are deployed and the mass adoption of those applications. The rate of digital transformation has accelerated, and sophisticated and relentless hackers are ready to exploit any opportunity. Applications are the number one attack surface, and security teams are frustrated and overwhelmed as they struggle to keep up. Both companies and individuals are at greater risk than they have ever been before.
As businesses are transforming digitally, we are now using applications more than ever in our everyday lives, and we are becoming dependent upon them. What can digital organizations do to protect the interest of their consumer? As an executive, how do we lessen anxieties around AppSec during this critical time?
Excellent CEO Advice!
There is no one-size-fits-all prescription for application security. Applications can’t be standardized – every web and mobile application is different, offers unique user experiences, and continuously evolves. And, approaching application security in a general way can significantly increase your business risk.
“Yes, the last 9 to 12 months traditional approaches to application security are failing,” points out Kulkarni. “12 to 18 months ago, I’d find customers racking and stacking security tools – you don’t get your desired outcome from another tool. Applications are even more vulnerable today; every passing day, more information gets leaked out. Adopting a new mindset is required today.”
“The application security teams that succeed today are working more with the lines of business than ever before,” comments Kulkarni. “It’s one thing to work with the development team, which is the right thing to do, but you also have to get connected with the lines of business because they are prioritizing the applications’ features and capabilities.”
The CISO of today needs to shift its role to stay up with these unstable times. Gone are the days of focusing only on IT systems. The modern CISO is about becoming a business partner and an enabler with a chair at the executive table. This next-generation CISO “is about risk assessment, mitigate and go,” comments Hinkley. “I think this speaks to the concept of being a business partner and how we have to allow the business to function.”
Accordingly, a strong connection between business lines and the CISO allows an organization to identify the risks and derive the right outcomes. “Application security approaches need to be more outcome-based,” says Hinkley. “There also has to be a way to define acceptable risk and working to understand what acceptable risk to the business is. Because there will always be some level of risk – we won’t truly eliminate all the risks in the business one-hundred percent.”
“What we’ve seen working with our customers is this idea about knowing your risks and how it shines a lot of light on where the focus needs to be. Start with enumerating all the applications you have running in production,” adds Kulkarni. “That itself would give you a good idea of the attack surface and associated risks.”
Fundamentally, embedding security into the development process is the right thing to do. In fact, embedding security at as many points in the software development lifecycle process that we can is excellent.
But, why should security be in the middle of Dev Ops? If security is to be successful, the security should be silent – development to QA to production, the security should be quiet. CISOs need to step back and step up and understand that the greater goal is to make security silent in dev ops.
“We need to come from a servant leadership aspect,” emphasizes Hinkley. “That means asking what we need to do to service the developer, the QA teams, the production, and ops teams. It requires us to drop the security pretenses and change our attitude. All teams need to be respected. We all need to work together to solve this problem.”
Not having an AppSec program in place is inherently putting your business at risk. We know today that most breaches are coming from the application layer – many reports support this fact. Having an application security program in place should be a core objective.
Nearly 55% of all global attacks were application-specific attacks (33%) & web-application attacks (22%)*
“First and foremost, acknowledge that applications create a very significant risk to the business. Address risk where it is the greatest and that is in production,” states Hinkley. “To me, you first focus on those right applications – eCommerce, customer-facing, sensitive information, or critical data.”
WhiteHat Security provides the capabilities and services to help you secure your applications, put the hackers in the rear-view mirror, and drive the future of your digital business. To learn more, access this on-demand webinar here. Also, check our Driver’s Manual.
*NTT 2020 Global Threat Intelligence Report