A new article in devops.com outlines the 5 mistakes organizations make when sacrificing security for speed in getting their applications to production. It’s a common problem, during this pandemic, as organizations rush to get applications moved to the cloud to support workers that are working remotely. It’s important to make sure you dont’ forget security in the rush to get to production. Security needs to be taken more seriously given the increase in cyber attacks
If your organization is under pressure to deliver applications from development to production quickly, there’s a few good reminder from the article about what you need to do so security doesn’t become a casualty in the development process.
The article covered five possible mistakes you’re making as you accelerate your move to production:
- Not Looking at Data Security Holistically
- Not Considering Security Across the Application Development Lifecycle
- Not Focusing on API Security
- Not Providing Strong Authorization and Authentication Methods
- Not Incorporating Vulnerability Testing Throughout the Development Lifecycle
I’m not going to cover the entire article here in this blog article, but I did want to touch upon a few points that I thought the author made that are really important to remember. In the first section about looking at security holistically, the article makes a point about development teams relying too much on authentication and authorization to protect data, but it’s important to remember there are parts of any application that are accessed without identity verification, and any vulnerabilities in the authentication/authorization is also an issue. Security is needed for all parts of the application.
Another important point the article brought up is making sure that security is tested across the entire application, that looking at silos of code bases might miss issues that exist across different parts of the code base or in the interaction between different parts of an application (for example from the authentication module to the access module). Some of the most high profile breaches (such as the Capital One attack) have occurred in vulnerabilities that existed in the interaction between code modules.
The final topic I’m going to comment on is probably the most important, which is making sure there is continuous vulnerability testing and assessment during the development cycle. We know that security threats are evolving faster than ever, with more attacks than ever as well. The Open Web Application Security Project (OWASP), provides a good list of the top 10 security risks found in web applications and is a good place to start with security testing.
There are ways to incorporate security testing into the development process without having to slow down the process. In fact with K2 Cyber Security’s application security platform, you can actually speed up remediation of vulnerabilities, getting you to production faster. K2 works with existing vulnerability and pen testing tools, with no modification to the infrastructure. After a test is run, K2 provides additional detail into found vulnerabilities, including file name where the vulnerability exists, and the exact line of code where the vulnerability resides, meaning that developers can remediate problems more quickly. In addition K2 can also find additional vulnerabilities that the pen and vulnerability testing tools may have missed.
From the article:
“While speed may be the name of the game, rolling out your applications without considering security would have little positive impact if they fail to function and are not secure… While your application development plans may be time-critical, security cannot be an afterthought, because sacrificing security for speed may make it longer for you to mitigate the risks than achieve your application development goals.”
In addition to working in pre-production with development testing tools, K2 also works as a runtime application security platform.
K2’s runtime deterministic application security platform monitors the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten.
K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.
Change how you develop and protect your applications.
Find out more about K2 today by requesting a demo, or get your free trial.