There’s no such thing as “done” with application security
If you’re like most companies in the software business, you’re relentlessly developing new features, streamlining workflows and improving the user experience. But every single change to your platform also changes how you might be attacked. As you develop new code, you’ll almost certainly inject new vulnerabilities. Those need to be addressed.
Technology evolves so quickly that it requires you to constantly revisit your security to stay ahead of new vulnerabilities. The process never ends. As one director of application security described it, “Once you know the rules, the game changes.”
Download Ted's free ebook, "How to secure your software faster and better."
The best way to deal with this is to treat security as a cycle, a process that continually repeats. However, many people tend to think of security as a one-and-done process, something that is linear with a start and finish, after which it doesn’t need attention again.
But that’s wrong. Security is not a line; it’s a loop.
The only constant is change
Change is inevitable.
For example, your customers’ demands change. Sometimes they require new security controls. Sometimes they want to change their model, such as moving from software that is hosted on-premises (which runs at their physical site on computers they own and control) to software that is cloud-hosted (which runs remotely on computers owned and controlled by a service provider). Whatever the change, they need assurance that your security meets their new needs.
Another type of change is the invention of new attack techniques. Attackers are just like you: they're constantly innovating. They’re relentless in inventing new ways to exploit systems. You need to constantly investigate these new techniques, too. Security truly is an arms race, and you need to keep up.
Lastly, widespread vulnerabilities in core technologies are discovered. The very nature of building software is that you’ll have dependencies. Whether that’s on a cloud provider, third-party libraries, integration of third-party solutions or some other shared component, your security relies on someone else’s security to some extent. Those third parties are evolving, too, while at the same time, new exploits are discovered in them.
Change happens all the time, and you need to reevaluate your system to defend accordingly.
Take a lesson from the ultimate hackers
Change impacts your security, and to deal with that, you need to adapt. You want to be like nature’s ultimate hackers: squirrels.
If you’ve ever seen a bird feeder, you’ve seen squirrels defeat almost any attempt to prevent them from stealing the feed. Squirrels don’t care that the feed isn’t for them. To the squirrel, it’s about survival — steal the feed or die. So they relentlessly adapt to whatever barrier is thrown at them.
With application security, you’re up against the same level of intensity. Like squirrels, your attackers will stop at nothing to break the rules of your system, exploit functionality and gain access where they don’t belong. That’s how your attackers think, and that’s how you must, too, if you want to defend against them.
An iterative approach to security
All of this change requires that you take an iterative, ongoing approach to security.
Many people mistake security as being a linear process. Do step A, then step B, then step C and you’re done. But that’s wrong. Security is not a line; security is a loop. Yes, there is a process, but once you finish, you must repeat it. Forever.
The process follows a simple formula:
- Establish/update your threat model
- Perform security assessment
- Remediate your vulnerabilities
- Continue developing but with security in mind
- Repeat
As a senior vice president of product management put it, “There’s no finish line for security.” You will refine your process, but it will never end.
Reassessments keep your application in the clear
The best way to do this is through what’s called reassessments. They entail the ongoing process of evaluating your system for security vulnerabilities, so you can continue to improve it. Eradicating vulnerabilities is the point of security testing, and given all of the ways the world is changing, vulnerabilities will continue to appear. Reassessments ensure you continue to identify them so you can fix them.
Therein lies the value of reassessments. Even though you’ll introduce new vulnerabilities as your application inevitably changes with time, you’ll be able to catch them. Reassessments help you deal with change, identify the new vulnerabilities that get introduced over time and ultimately keep your system as secure as it can be.
You’ll never be “done,” but you will be building a better, more secure software system.
Learn how to secure systems with 11 courses from Infosec Skills instructor and #1 best-selling author Ted Harrington.
- Hack your system
- Establish your threat model
- Spend wisely
- And more
In this Series
- There’s no such thing as “done” with application security
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
- Introduction to the OWASP API Top Ten
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security