Breaking News

New Year, New AppSec Resolutions

2020 is upon us, and with a new calendar year comes new goals and New Year’s resolutions. As expected, all of the common suspects are getting the mainstream focus – eating healthier, exercising more, being more positive, etc. But in addition to these basic – and worthwhile – goals, it’s time for those in security and development positions to make 2020 the year of application security.

2019 saw yet another calendar year come and go riddled with major data breaches across the world. Whether it was U.S. government and military personnel having their data leaked by AutoClerk, or the DoorDash breach that saw 4.9 million customers, workers and merchants affected, it was another record-setting year.

Antivirus software vendor Norton noted that the first half of 2019 alone saw a total of 3,800 publicly disclosed breaches with 4.1 billion records exposed. That was enough to be a 54% increase in the number of reported breaches vs. the first six months of 2018.

Given the growing threats and steady increase of breach incidents, the importance of securing applications cannot be overstated. Despite the headlines and increased awareness, most companies fail to test, secure and remediate applications. To encourage security best practices, here are three resolutions organizations should make and keep for 2020:

Add Cybersecurity Expertise and Protocols

A WhiteHat study of 103 IT professionals at DeveloperWeek Austin found that three-quarters of developers are worried about the security of their applications, and around seven out of eight consider security to be an important development consideration, despite the fact that only half of these teams have a dedicated cybersecurity expert. Our study also found that about 49% of development teams lack a dedicated cybersecurity leader, and 43% prioritize deadlines over secure coding.

This raw data shows us that securing the development process isn’t necessarily a priority for every company, but adding cybersecurity expertise to the development team could go a long way. Developers are on the front lines when it comes to protecting their organizations from cyberattacks, and they need the right leaders in place to help see them through tough times and guide them to build their own expertise.

There is a clear upward trajectory in developers’ concerns about securing their code, but it’s clear that the industry still has a long way to go. With applications being increasingly targeted by digital adversaries, it is vital that organizations and developers incorporate standard security protocols within DevOps, a practice known as DevSecOps. This should include regular cybersecurity training, an application security team lead and a holistic application security platform that can identify vulnerabilities in development, deployment and beyond.

 Understand the Cost of a Data Breach and Take Preventative Measures

Lessons need to be learned from the recent onslaught of massive online security breaches. Whether it’s the aforementioned DoorDash and AutoClerk breaches, or the Marriott International and British Airways breaches that cost the companies $100 and $230 million+ fines for failing to protect customer data, it is essential to ensure security and compliance by implementing cybersecurity practices to make data breaches preventable.

As organizations depend on software applications to grow their business, it is essential to secure the applications to detect and block threats before they become an attack. By taking a systematic, risk-based approach to evaluating and addressing cybersecurity vulnerabilities earlier in the software development life cycle (SDLC), organizations can immensely improve their security posture.

Development and operations specialists should understand application vulnerabilities, their different categories and best practices to avoid making applications vulnerable. Without this training, developers and operations specialists likely won’t fully grasp just how important security is, and the effects it can have on the business.

Make Security a Shared Responsibility

First and foremost, DevOps teams need to learn that security is a responsibility that they must share with the security team. Without it, DevSecOps is impossible, and without DevSecOps, DevOps will not be secure. DevOps and security teams need to be taught how to discuss security issues together, so they can see all of the implications they entail – security, quality, legal, reputational – all combined.

Organizations will increasingly see their revenues, profits and brand loyalty impacted by their ability to create highly secure applications. And as more application-layer breaches are reported on by the media, security will need to be seen as a fundamental aspect alongside quality, stability, performance, functionality and ease-of-use.

Using these three application security-related suggestions will put an organization on a clear path to a much stronger security outlook in 2020. To protect critical data, organizations must do their part by adding cybersecurity expertise to their development teams, becoming more conscious of the costs of data breaches and making security a shared responsibility. These practices, along with support from application security specialists like WhiteHat Security, will see your data security resolutions through to the end of the year, and beyond.

Tags: DevSecOps