Blog A3Sec

Application code security: SecDevOps

Written by Javier López-Tello, CEO A3Sec | 14 October, 2022

We live in a digital era where business processes are carried out through apps and web applications. Companies and administrations of any place in the world and size offer their services through websites and internet-based applications to create, consume and do business.

Although government organizations and financial companies remain the primary target of many cyberattacks, they affect any company, regardless of sector and size, which in the age of the digital economy have made apps the core of their business. These cyber-attacks take advantage of vulnerabilities in software, IT infrastructures and the people who manage and use them.

 

Web Application Attacks

The exponential increase in the number of applications and the increase in the complexity of websites is linked to the growing number of incidents.

Among the most notorious of this 2018, for affecting the leakage of more than 65 million users who have seen their personal data and in some cases their financial information compromised, are the attacks suffered by Facebook (exploitation of a vulnerability in the "view as" function), British Airways (through an attack on its website and its mobile application) and the latest from Google+ which exploits a vulnerability in an API present since 2015 and which was patched in March 2018 and which after it, announced the closure of its site.

The types of attacks on web applications have not differed much from those produced the previous year. Statistically we can classify them as follows:

Types of Vulnerabilities

Telefónica has made public the following graph-summary of different types of vulnerabilities, among which are included, based on data obtained during the second half of 2016:

From the same report, the following graph is included, showing the severity of such vulnerabilities, attending to the criteria established by CVSS v2:

In the geographical areas in which A3Sec operates, EMEA and LATAM, vulnerabilities are distributed as follows: 

Today, code and new application releases are developed faster than ever (Scrum, Agile, DevOps, ...). Applications are the parent force of digital business and it is their components that are the most vulnerable to attacks.

The latest Verizon report ("The Verizon 2017 Data Breach Investigations Report") indicates that "more than 60% of security breaches involve web applications both as an affected asset and involved in the attack vector" and the remediation time for such vulnerabilities exceeds 175 days.

Despite Gartner data indicating that companies' spending on Application Security has increased from USD 630 MM in 2015 to USD 719 MM in 2016 (Gartner, Inc., "Forecast: Information Security, Worldwide, 2015-2021, 1Q17 Update"), this increase is not enough.

Undoubtedly, security breaches have an overall cost, derived from several partial costs: direct economic, service, reputation and image, penalties, etc.

In the United States alone and in 2015, the FBI's Internet Crime Complaint Center (IC3), handled 288,012 individual complaints that estimated direct losses due to cyber incidents on the Internet at approximately $1.07 billion. The worldwide loss figure is estimated to be around $400 billion.

To reduce corporate risk, a major effort must be made to incorporate security into the Software Development Life Cycle (SDLC).

 

Security must be present in all phases

At A3Sec, with a team specialized in security and another one in secure development, we keep it in mind when defining the requirements and the solution, paying special attention to the architecture design and its configuration.

 

 

During the coding phase we must execute code analysis, both static and dynamic:

  • SAST (Static application security testing): Static application security testing tools passively analyze the source code or binary code of an application for known vulnerabilities.
  • DAST (Dynamic application security testing): dynamic security testing tools help test and analyze a running application for behavior that indicates potential vulnerabilities.

And in the testing and deployment phases of the application, we will perform penetration tests to verify the security of the application and the infrastructure that supports it.

This process is cyclical and will continue throughout the life of the application, in its maintenance and upgrade phases. Let's remember that it is much cheaper to find and remediate software vulnerabilities in their coding phase than when they are already in production.

Forrester indicates that the implementation of code analysis solutions, such as Checkmarx, has a high ROI (+250%) and a payback of six months.

 

 

At A3Sec we have developed a methodology, and a set of solutions and services to assist in this process for the many companies that lack the technology, knowledge and expertise to successfully tackle it on their own.

For those who wish to outsource the process we have developed the A3Sec Secure Development Validation Service, which allows to identify security vulnerabilities at the application level using advanced review techniques of static analysis of source code and dynamic analysis of applications, and generate recommendations to solve them.

 

You may also be interested in