5 Best Practices in Application Security for 2017 by Venkatesh Sundar

5 Best Practices in Application Security for 2017

Every day of being ‘not fully secure’ is a day for potential breach. Customer information, business data, money, and brand rep; everything is at stake.

However, it is not easy to focus on app security. Should you fix vulnerabilities, build bulletproof Software Development Life Cycle (SDLC) or hire security experts? Here are the best practices in application security to help you.

Step 1: Threat Model

Often, companies do not have an inventory of their applications. There are plenty of old and rogue apps with dozens of vulnerabilities. Create an inventory list to ensure that your administrator knows about all the resources. Keep separate tabs for version, last update and use case.

Step 2:  Priority Buckets

Once you have the list of applications, can you start testing and patching all of them at once? That is why sorting Critical, Serious and Normal helps. This categorization framework will help you identify assets that deal with customer data, money and other sensitive information.

• Critical: These are the public facing apps that collect and store customer information. Hackers often target these apps to get data or steal money.
• Serious: These are both internal and external apps that store key information, but are not that critical.

• Normal: Hackers wouldn’t be able to get much from here. These apps should be tested and fixed after everything else.

Step 3: Vulnerabilities

An average application has 20 vulnerabilities. Therefore, there is a lot of ground to cover for all the apps in the organization. Deploy a combination of penetration testing and automated scanning to look for vulnerabilities. Categorize these vulnerabilities further based on the business impact and risks.

Step 4: Critical and High

Fixing issues is the next logical step. However, you cannot start with all the flaws simultaneously. Dedicate time and other resources to fixing Critical and High issues first.

Meanwhile, you can deploy protection to stop hackers from exploiting vulnerabilities.

1. Web Application Firewall: A WAF blocks malicious attempts based on predefined rules. Your WAF vendor can also configure custom rules to block business logic exploitations.
2. Functionality Limits: Meanwhile, limit the app functionalities, like admin control and sessions timeout.

Step 5: Advanced Application Security Measures

Business applications change frequently. Awaiting testing and patching isn’t always a logical solution. Here are some of the other advanced measures to help protect apps from hacking attempts.

• Monitor Apps: Virtual patching through WAF helps in monitoring apps. It allows visibility into how hackers exploit vulnerabilities. These analytics help you build intelligence to protect more efficiently in the future.
• Use Automated + Penetration Testing: Neither automated testing nor penetration testing is efficient alone. A combination of both gives you the advantage of continuous and thorough vulnerability detection.
• Managed Security: Hiring and managing an app security team inhouse is difficult. A managed app security program can help you stay on top by finding vulnerabilities before attackers, fixing vulnerabilities to stop hacking attempts and monitoring to collect data for security intelligence, visibility and DDoS patterns.

About the Author:

Venkatesh Sundar, Founder & Chief Marketing Officer

Venky has played multiple roles within Indusface for the past 6 years.  Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.