As another year comes to a close, application security remains more important than ever; it is a must have. With virtually every business using applications to grow their businesses, the vulnerabilities an risks associated with these business-enabling applications continue to grow exponentially.
Applications that are being built today are touching millions if not billions of people on a daily basis. In turn, this makes the security of applications imperative to the lives we live. At WhiteHat Security, we are ultimately talking about our customers and our customers’ customers eventually touching the entire population of the world, leaving us tasked with helping to ensure their safety.
In 2018, app-related breaches ran rampant all year long. In May, thousands of parental and child accounts on TeenSafe, a teen device-monitoring app, had their information compromised. The app’s servers were accessible by anyone without a password, giving them entry to extremely personal data including Apple IDs. Later that month, fitness app PumpUp left a server exposed to the internet with no password to protect it. The server gave out sensitive customer data including user-entered health information, photos, and access to private messages between users.
In August, Air Canada confirmed a data breach of its mobile app that affected 20,000 people. Attackers had access to sensitive data that users may have added to their profiles, including passport numbers and expiration dates, as well as gender, nationality, dates of birth, and residence. While these incidents are unfortunate, there are always lessons that breaches can teach us about DevOps and the future of application security.
What the future holds for applications
DevOps–which combines the terms development and operations, and is used as a means to represent a collaborative approach to the tasks performed by an organization’s application development and IT operations teams–is fast becoming the industry standard.
Fine-tuned DevOps provides many benefits to an enterprise, including speed of development, improved deployment frequency, better collaboration between Dev and Ops teams, lower failure rate of new releases, and a faster time to market. But DevOps software development also presents a fundamental challenge to traditional software security practices. Application security often runs at the end of the software life cycle (SLC), and isn’t in DevOps’ hands. The issue then becomes: how to secure DevOps, i.e., make it DevSecOps?
Why is the cultural shift from DevOps to DevSecOps so important?
As application development within Agile environments has increased, the need to bring security into the DevOps equation has also grown. Software development is much quicker in an Agile environment, so without proper security, the amplitude of undetected security vulnerabilities can go further, quicker.
With more entryways (due to more functionality being introduced in applications) vulnerable to attack, the frequency of attacks also increases. Thus, the term DevSecOps looks to integrate and open cross-functional organizational structures and communications to include application security throughout the SLC and post-release lifespan. Just as DevOps sought to lower the failure rate of the product, so does DevSecOps seek to lower the number of vulnerabilities and increase efficiency for detection to time-to-fix rate. With a DevSecOps framework, early detection of security threats and vulnerabilities is dramatically increased, as is security solution deployment.
Application security at WhiteHat
Organizations depend on software applications to grow their business. As mentioned earlier in an earlier blog, the challenge is software security typically does not scale with this growth, thus creating significant business risk. As the pioneer and market leader in application security testing-as-a-service, WhiteHat Security provides industry-leading accuracy, breadth and speed, via a combination of automation and artificial and human intelligence, to implement application security across the entire software DevOps life cycle.
WhiteHat’s Application Security Platform brings together the critical capabilities of dynamic and static application security testing (DAST and SAST) and software composition analysis (SCA) to continuously assess risk for your applications by embedding security within the SLC, and providing development, security and operations teams the tools and services to deliver the most secure software. As a pioneer of the AppSec space, WhiteHat has created an approach to Application Security that customers trust. We provide the most accurate results with the broadest coverage by bringing together the critical scanning technologies (DAST, SAST, SCA) in a cloud platform delivery model for our customers.
Why WhiteHat Does AppSec Better
The right application security solution should be like a “universal translator,” bringing the worlds of security and development together to create a true DevSecOps team: a collective focused on delivering new and secure apps quickly, and committed to ensuring every application remains secure through its entire life cycle–an important goal considering that apps are now the heartbeat of the digital business.
The WhiteHat Sentinel Application Security Platform is that universal translator. Providing AppSec solutions for the entire SLC, Sentinel is the ideal fit for agile development teams that need security to be integrated into their tools, and for security teams that need a continuous testing solution for keeping apps secure in production. Sentinel supports mobile AppSec testing as well, so those roaming apps are as secure as your earthbound apps.
At WhiteHat Security, our clients achieve a 50 percent drop in production vulnerabilities along with a 25 percent reduction in time-to-fix vulnerabilities. We’re able to provide these types of results, in large part, due to our accuracy and scale. With over 50,000 applications tested to date, and 15,000+ applications actively testing, we are able to provide verified results for our customers that feature 95 million attack vectors identified and over 700,000 vulnerabilities verified.
Our mission is to secure the applications that run your business. To do this, we enable secure application development, deployment, operations and DevSecOps. Our complete turn-key solution offers our customers the ability to simply send us their (automated) request, and we do the rest, rapidly sending back accurate and comprehensive security testing results.