Every day of being ‘not fully secure’ is a day for potential breach.
March 14, 2017
Every day of being ‘not fully secure’ is a day for potential breach. Customer information, business data, money, and brand rep; everything is at stake.
However, it is not easy to focus on app security. Should you fix vulnerabilities, build bulletproof Software Development Life Cycle (SDLC) or hire security experts? Here are the best practices in application security to help you.
Often companies do not have an inventory of the applications. There are plenty of old and rogue apps with dozens of vulnerabilities. Create an inventory list to ensure that your administrator knows about all the resources. Keep separate tabs for version, last update and use case.
Once you have the list of applications, can you start testing and patching all of them at once? That is why sorting Critical, Serious and Normal helps. This categorization framework will help you identify assets that deal with customer data, money and other sensitive information.
• Critical: These are the public facing apps that collect and store customer information. Hackers often target these apps to get data or steal money.
• Serious: These are both internal and external apps that store key information, but are not that critical.
• Normal: Hackers wouldn’t be able to get much from here. These apps should be tested and fixed after everything else.
An average application has 20 vulnerabilities. Therefore, there is a lot of ground to cover for all the apps in the organization. Deploy a combination of penetration testing and automated scanning to look for vulnerabilities. Categorize these vulnerabilities further based on the business impact and risks.
Fixing issues is the next logical step. However, you cannot start with all the flaws simultaneously. Dedicate time and other resources to fixing Critical and High issues first.
Meanwhile, you can deploy protection to stop hackers from exploiting vulnerabilities.
1. Web Application Firewall: A WAF blocks malicious attempts based on predefined rules. Your WAF vendor can also configure custom rules to block business logic exploitations.
2. Functionality Limits: Meanwhile, limit the app functionalities like admin control and sessions timeout.
Business application change frequently. Awaiting testing and patching isn’t always a logical solution. Here are some of the other advanced measures to help protect apps from hacking attempts.
• Monitor Apps: Virtual patching through WAF helps monitoring apps. It allows visibility into how hackers exploit vulnerabilities. These analytics help you build intelligence to protect more efficiently in future.
• Use Automated + Penetration Testing: Neither automated testing nor penetration testing is efficient alone. A combination of both gives you advantage of continuous and thorough vulnerability detection.
• Managed Security: Hiring and managing app security team inhouse is difficult. Managed app security program from Indusface.com can help you stay on top by finding vulnerabilities before attackers, fixing vulnerabilities to stop hacking attempts and monitoring to collect data for security intelligence, visibility and DDoS patterns.
Stories by Ishan Mathur