Drop The Knife and Back Away from The AppSec Budget

INDUSTRY.co.id - Say a municipal water department faced a sudden crisis that required building out some new infrastructure. If they decided to pay for it by eliminating water purification, you’d probably think the department head had gone crazy.

And you would be right. Who cares if the water supply is maintained or expanded if it’s not safe to drink? Deciding to sacrifice safety for cost savings is bad thinking.

Unfortunately, that kind of thinking exists in the digital world. So you could make a similar argument to any organisational leader thinking about gutting the application security testing budget to cover losses from the economic devastation of widespread business shutdowns.

Yes, the devastation is real. It requires major adaptation — in some cases building out infrastructure that nobody ever thought would be necessary. We hear all day, every day, that tens of millions are unemployed, the economy is contracting, and businesses have to cut major costs to survive.

But dealing with the situation wisely requires setting priorities. And one of the highest priorities should be protecting assets that, if compromised, could create an even greater existential threat to an organisation than a temporary economic collapse.

These days, the digital version of water purification is software security testing. Software powers the applications that interact with your internal assets and your customers’ personal and financial data. But when that software isn’t “purified” through rigorous security testing, vulnerabilities can allow attackers to steal your intellectual property, expose the personal and financial data of your customers, and loot your company’s finances.

That, in turn, can lead to a familiar parade of horribles: brand damage, litigation, loss of market share, regulatory compliance sanctions, and more. Enough to cripple an organisation that is already struggling.

Most cyber criminals have financial motivation: They follow the money. They are also disciples of the now-famous exhortation from Rahm Emanuel, former Chicago mayor and a top official in both the Clinton and Obama administrations, who said, “You should never let a crisis go to waste.”

They definitely aren’t letting this crisis go to waste. The FBI reported recently that the number of reports to its Internet Crime Complaint Center (IC3) had increased by 300% to 400%, from about 1,000 per day to 3,000 to 4,000.

Among the targets in the cyber attack spike was the World Health Organisation (WHO), which reported a fivefold increase in attacks directed at its staff and email scams targeting the public at large.

The U.S. Small Business Administration (SBA) reported a breach that exposed the personal information of nearly 8,000 business owners who had applied for federal disaster loans. Doctors and hospitals and even NASA have reported spikes in COVID-19-related malware and phishing attacks.

That alone is reason enough to make application security testing a budget priority. But it is not the only one.

Another is that the attack surface of many businesses has increased exponentially with the sudden shift to a work-from-home (WFH) regime that has dispersed millions of workers who had been more concentrated in offices, where it was easier to maintain security.

Thomas Richards, principal consultant and red team practice leader at Synopsys, noted recently that a single global company suddenly had to procure thousands of laptops for employees who had been using desktops in the office.

Besides procuring the devices, there was a mad rush.

“to configure them and develop policies around them,” he said, noting that haste frequently leads to mistakes.

Meanwhile, those workers have been forced to do numerous things online that they had been doing in person, including collaborating with video conferencing platforms that have their own set of security weaknesses.

Finally, another reason application security testing should be a budget priority is that securing modern software is as hard as it is important. It takes a consistent investment of time and money to get it right.

Modern software is more complex, given that it is assembled from hundreds or thousands of components (proprietary, open source, commercial) and interconnected through a vast web of software supply chains.

The complexity is significant because organisations increasingly rely on newer technologies such as APIs and microservices, cloud computing, containers, serverless computers, OSS components, and frameworks. Many organisations are not as adept at testing, hardening, and securing these technologies as they are at handling software from even a few years ago.

Just one example: Instacart’s fast-track rollout of white-label integrations with big-box retailers such as Costco and Safeway, after demand for its “personal shoppers” spiked 150% owing to shelter-in-place orders.

Piping the real-time inventories of multiple, major retail chains to an app that can be browsed by consumers, and then connecting that information to the mobile phone of an Instacart driver, can’t be done with a few lines of Python — or a few thousand lines of Python. It takes a massive amount of code, all of which needs to be rigorously tested if is not to become low-hanging fruit for hackers.

Jonathan Knudsen, technical marketing manager at Synopsys, noted that it’s worth taking advantage of the “never let a crisis go to waste” mantra, and using the current situation to improve on your competitive posture.

“Weaving application security into product teams requires some changes in processes and culture,” he said.

“Why not take advantage of the work-from-home upheaval to make some positive changes to drive down your overall risk?”

“If your competitors are in hard crisis mode, but you’re able to manage crisis and improve your security stance, then you’re going to come out ahead in the long run.”

The good news is that the tools and services to build security into software are available, from static analysis to dynamic to interactive security testing, from software composition analysis (SCA) to pen testing at the end of the software development life cycle (SDLC).

But the caveat is that all those tools and services are crucial. No single tool will do it all. There is no way to press a button and watch all the vulnerabilities disappear.