Have you ever wondered about the security of the applications you are using, building or considering purchasing for company use? You are not alone in this critical thinking. These thoughts are likely to be fuelled by reports on cyber-attacks and data breaches which are becoming a common occurrence in the news.
Virtually all businesses rely on some form of digital communication, application or service to fulfil their business goals. According to Verizon’s 2019 Breach report, the top two causes of confirmed data breaches is vulnerabilities in Web Applications and Backdoor or C2 (command and control). These kinds of reports focus the minds of the consumer and the business onto the security of the applications they consume and provision.
GDPR regulations have brought further focus on the production of secure software by mandating requirements such as being secure by design. Companies failing to address these GDPR requirements are more likely to face higher fines in the event of a breach as they haven’t shown due diligence around software security.
No company exists to be secure, but in order to safeguard their business interests organisations need to protect what they value most. For many, customer data, customer confidence and organisational reputation are usually high on the priority list. With the supporting statistics that show data breaches are often caused by insecure software, it is a logical area of focus.
In order to enact meaningful change and produce resilient and secure software, there must be a conscious decision at the top, supported by careful planning and execution at the development and operations levels. The recent changes in regulations (i.e. GDPR especially articles 25, 32,33,34 and 35) and the associated potential fines (up to 4% of global turnover) alongside a shift in customer sentiment provides a good basis for a business case to invest in a proactive approach to software security.
There is no silver bullet for this problem, it must be carefully defined, designed and implemented to suit the business, but there are frameworks which can help.
There are many ways to improve application security. By adopting software maturity models (e.g. Software Assurance Maturity Model by OWASP Foundation) organisations can work within a proven and tested framework to improve the security within your software stack.
At Savanti, we have created a framework based on OWASP SAMM for improving application security which is customisable for the individual business needs. It has been used by large and small organisations to improve their software security processes, building security in from the ground up, delivering software more quickly while improvement security and meeting compliance requirements.