Making application software security a priority for your organization can help you avoid massive data breaches like the now infamous Equifax breach. To recap, it started with a vulnerability in the Apache Struts MVC framework: a vulnerability that Apache knew about, had created a patch for, and had announced the need to patch, but that Equifax failed to patch. Two months after Equifax should have fixed the vulnerability, hackers used it to access the system, exposing the records of over 150 million people and permanently damaging the credit firm’s reputation. This scenario highlights a widespread issue. Even in organizations where cybersecurity is taken seriously, security in application development is not always properly understood or prioritized.
This is where the OWASP Top 10 comes in. OWASP (Open Web Application Security Project) regularly releases a list of the 10 “most critical security risks to web applications.” This list outlines what developers need to be aware of as they plan and create applications, web sites, and APIs, and assists them–as well as supervisors and other higher-ups–in understanding how to mitigate risk. The Top 10 is straightforward enough for laymen to understand, providing entire organizations with insight into the process for secure software development and a framework for accountability and security. Additionally, it serves to prioritize secure coding as an integral piece of a company’s framework, and the developer as an important stakeholder.
Which brings us to an important point: as a developer, your role is not just to consider coding security as an isolated event. With your code forming the backbone of an organization’s applications, any weakness could expose the organization to attack even if other parts of the enterprise are secure. As a result, secure coding needs to be acknowledged and practiced within a broader information security mindset. This means not just technically following the Top 10, not just practicing minimal communication with the rest of the organization about plans or concerns, but instead actively treating the work you do as an integral–perhaps the most integral–building block of total corporate security. The Top 10 list is meant to help accomplish this, but will only be successful if you actively work to maintain this mindset.
If this all seems overwhelming, a great place to start is by integrating secure coding practices into your Software Development Lifecycle (SDLC). Resources like the Top 10 should figure prominently in the SDLC because they help remind developers which common flaws to look for and how to avoid them. The best SDLC is one that incorporates a security mindset. By its very nature, each step of the lifecycle prioritizes thought, careful examination, and an overall consideration for what the application or API is designed to do and how it’s supposed to work. It also comes with built-in checks and balances, meant to help developers avoid flaws and focus on security in application development.
Developers can also help to create and advocate for a Configuration Management program. Configuration Management (CM) ensures that an organization is not only creating secure configurations for its software and hardware assets, but also that these are maintained over time to reflect changes to systems. Experts recommend that during the component access process, developers need to apply policy controls to proactively address security vulnerabilities, especially for open-source components. They also recommend that internal repositories be used to provision components, as well as not allowing the download of components directly from the Internet. CM is highly recommended by OWASP as a mitigation strategy.
Another great focal point is the creation and maintenance of a strong Patch Management Program. As per the Financial Services – Information Sharing and Analysis Center (FSISAC), “Vulnerability patching is a difficult and resource-intense issue but is necessary to protect an organization’s technology. Research indicates that while only 10% of known vulnerabilities are routinely exploited, enterprises continue to struggle to apply critical patches given IT resource constraints. We have all heard this before, yet we continue to see large incidents, breaches and ransomware where unpatched, vulnerable software was a central enabler of the attack.” This is another process that is strongly recommended by OWASP. If a robust Patch Management process had been properly followed by the developers at Equifax, it’s unlikely that the Apache Struts vulnerability would have slipped through the cracks for as long as it did.
As developers, we are responsible for our companies’ application software security in a unique, and often overlooked, way. Prioritizing that responsibility, and using tools like the OWASP Top 10, will help us create more secure applications, web sites, and APIs by substantially investing in their protection and maintenance. When properly followed by all developers, this mindset will transform the way the organization as a whole thinks about application software security, and ensure better security throughout our organizations, from the bottom to the top.