Many developers focus their efforts on solving problems – marrying business requirements to technology and building great functionality while meeting tight deadlines – but too often, they will sacrifice security. This approach may generate significant risks for your organisation. Though a threat actor may not find the vulnerabilities immediately, it might only be a matter of time and hopefully not in something you have developed.
For this reason, application security (AppSec) should be a critical aspect of the software development lifecycle (SDLC) rather than overlooked or treated as an afterthought. AppSec ensures that your software is secure by design.
In this blog, I’ll discuss some key risks of overlooking AppSec, including how applications become vulnerable and the impact on your business, team and customers. By addressing the risk of ignoring AppSec, I hope more people will better appreciate the urgency and necessity of using robust security measures throughout the SDLC as well as avoid the cost of mitigating these vulnerabilities later in the SDLC or, worse, in production.
Legacy code creates vulnerabilities
Legacy code can be a significant security risk because the original developers did not create it to protect the application from new, evolving threats. Threat actors target older frameworks and libraries that your old code utilises because they are no longer being maintained, and patches may not be available.
This point may seem obvious, so why is legacy code an issue? Budget and time constraints are among the top reasons because updating an entire codebase can be expensive and time-consuming. There’s also the worry of creating new bugs or breaking something during the rework. You may already be on a digital transformation or move to the cloud, so new functionality may already be on its way or in the planning. On top of that, some organisations may not have the expertise to update their code safely as it was developed by a third party.
If you are working with legacy code, it’s ideal to scan your legacy code and prioritise fixes to maintain and enhance the application’s security. You can speak to your application security team and ask them to review your code and recommend security improvements and controls, such as RASP, that are designed to protect legacy software.
Vulnerabilities can arise as your app changes
You might have built your app initially with cyber security in mind, but developers might introduce new vulnerabilities as they update it unknowingly. Even seemingly minor app updates or changes can generate fresh security vulnerabilities. New features may add complexity to the app’s underlying code, providing a wider surface for potential security weaknesses or inadvertently creating a backdoor via SQL injection.
For example, your team introduces a chat feature to your app to enhance user interaction. If the chat feature doesn’t have adequate security controls, such as proper input validation or data encryption, it could become an opportunity for a threat actor. They might exploit this vulnerability to send malicious code or links through the chat or intercept and access the chat messages. They might use these techniques to spread malware, steal data, or attempt other attacks.
You can reduce these risks by prioritising application security when making updates to the app. Security measures like input validation, encryption, and vulnerability assessments are good methods for maintaining an application’s integrity after an update.
Third-party code might introduce vulnerabilities
Code created by third parties, including open-source libraries, offers developers a wealth of pre-existing functionality and components that can accelerate development. However, relying on third-party code without carefully checking and testing it can open the application to vulnerabilities. By some estimates, up to 80% of applications written today use open-source libraries.
When using third-party code, developers must exercise caution and thoroughly evaluate its quality and security. Open source code, for instance, is widely available for anyone to use, modify, and distribute. As such, it makes for an excellent opportunity for threat actors to plant malicious code and vulnerabilities. Good practice is to create a repository of validated open-source libraries that can be used by developers instead of them finding and downloading it.
Vulnerabilities within this code can serve as potential entry points for attackers to exploit. These vulnerabilities may allow unauthorised access, manipulation of data, or even the execution of malicious code within the application. For example, the open-source code might alter the app to reveal any data entered to a threat actor.
Therefore it is important when testing applications for security that you provide your application security team with your libraries so they can perform composition analysis to ensure that you are aware of transitive dependencies and you create an SBOM (software bill of materials).
Cloud-native apps have their own set of vulnerabilities
The rise of cloud-native applications has brought about increased accessibility and scalability. While this makes applications more accessible, cloud-native applications have vulnerabilities that threat actors might leverage. In fact, a report by Snyk found that 56% of organisations have found a misconfiguration or known unpatched vulnerability in their cloud applications.
Cloud platforms provide various services and configurations, which, if not properly set up, can accidentally expose sensitive data to unauthorised users. Misconfigurations in access controls, storage, or network settings can create opportunities for attackers to gain unauthorised access.
The consequences of these vulnerabilities within cloud-native applications can severely impact your organisation. Unauthorised exposure or loss of sensitive data can lead to various malicious activities, including data manipulation, identity theft, financial fraud, and reputational damage. Breaches in cloud applications can disrupt business operations, resulting in financial losses, legal repercussions, and regulatory non-compliance.
To mitigate these risks, your organisation might reconsider the security measures surrounding your cloud-native applications. This includes implementing proper access controls, ensuring secure configurations, regularly auditing and monitoring the cloud environment, and staying informed about emerging threats and best practices. Many cloud-based applications or workloads are becoming smaller and more ephemeral. They start, perform a task, and end, which is why many traditional security controls are ineffective, as they are not designed for these types of workloads. This makes secure by design an imperative and secure code reviews extremely important.
Without application security, you could expose your business to vulnerabilities created by legacy code, app updates, third parties or cloud-based workloads. Leaving these vulnerabilities unaddressed could open your business up to the risk of data breaches that expose employee and customer data, seriously harming your reputation and generating significant financial penalties.
As such, it is ideal to consider including AppSec in your cyber security strategy and the SDLC so that you can take proactive steps to mitigate these vulnerabilities before a cyber criminal gets to them first. Or, have your application security team perform threat modelling, preferably in the design phase or at least before it is released into production. This way, you will have a very good idea of the application’s risk, how it relates to the risk appetite of your organisation, and avoid heavier costs by trying to remediate in production.
Galah Cyber can incorporate application security into your cyber security strategy
We designed our AppSec Advisory services to ensure security, reliability, and compliance in your software applications and related infrastructure. Our approach focuses on identifying, assessing, and mitigating security risks at every stage – from the software development lifecycle to applications operating in live environments.
Our experts will deliver actionable and practical security advice to identify, prioritise, and address potential application vulnerabilities. Please visit our Advisory Services page for more information.