The increasingly complex nature of software combined with pressure to develop and rollout new features quickly makes application security a growing challenge.
Application development infrastructure is full of significant security risks, according to research by Legit Security. The issue is widespread – the researchers found high or critical risks in the developer environments of every company it examined.
And there isn’t a simple fix. Legit said application security is no longer simply about spotting flaws in source code, because the attack surface for applications has grown and diversified.
So what can businesses do to assess their own application security risks and mitigate them effectively?
Tying application security risk to software complexity
Application security is set against an increasingly risky backdrop. Software development has become complex with the adoption of microservices, edge computing and distributed systems across hybrid clouds, says Kelvin Lim, senior director, head of security engineering at Black Duck.
This “significantly expands the attack surface”, making it more challenging to secure every component, he says.
Adding to this, businesses often put pressure on developers to deliver new features and functionality, which can lead to “a prioritization of speed over security”, says Bharat Mistry, field CTO at Trend Micro. “This focus on rapid deployment can result in inadequate testing and oversight of newly-introduced code,” he says.
At the same time, without the right controls in place, applications can be exposed to SQL and prompt injection attacks, or “a host of authentication and access control failures that leave sensitive data easily accessible to cybercriminals”, says Ann Maya, EMEA CTO at Boomi. She cites the example of last year’s Trello breach. “This saw a threat actor exploit an open API endpoint and gain unauthorized access to information on 15 million registered users.”
Application security problems can lead to supply chain incidents, which are now “a significant source of breaches”, says Jeff Watkins, chief technology officer at CreateFuture. “The problem with application security issues is they are often incredibly insidious – especially in the case of a supply chain attack – and can require extensive rollout activities to remediate.”
Mistry cites the example of the SolarWinds attack, which saw adversaries exploit weaknesses in the application to gain unauthorized access to sensitive information. “This highlighted how vulnerabilities in software supply chains can trigger massive data breaches affecting thousands of organizations”, he says.
Another infamous case is the Log4j vulnerability, or Log4Shell, a critical security flaw discovered in December 2021 within the widely-used Java logging library. “This flaw allowed attackers to execute remote code by taking advantage of the library’s logging function,” says Mistry. “The discovery of Log4j sent shockwaves through the cybersecurity community, leading to widespread panic as organizations scrambled to assess their exposure and implement patches.”
AI and application security risk
An additional factor adding complexity to application security is the use of AI for writing software, as well as the technology’s inclusion in live systems. According to Legit’s application security report, 46% of firms are using AI models in source code in a risky way. In fact, many security teams are unaware where AI is in use within their organizations, a phenomenon known as shadow AI.
The use of AI has resulted in new categories of risk to consider, says Watkins. “Existing advice to protect against attacks on AI systems is often inaccurate or absent, and some kinds of AI interface are technically impossible to secure, due to their non-deterministic nature.”
Yet AI can’t be ignored, given its growing role in software coding. Generative AI is accelerating code creation and by 2028, Gartner predicts 75% of enterprise software engineers will use AI code assistants.
This surge in AI-generated code could result in even more pressure on security teams, since it will require them to “scrutinize even greater volumes of potentially vulnerable software”, John Smith, EMEA CTO at Veracode warns.
It’s not all bad, though, as AI could also be used as a countermeasure, providing better application security tooling to organizations. It is especially useful when monitoring generative interactions that would be difficult to secure using traditional tooling, Watkins says.
Application security risk strategy
It might seem complex, but it’s possible to manage the risks surrounding application security by combining a few tools, policies and techniques.
Firstly, secure your development environments, says Watkins. “Be sure that a single attacker can’t create a huge blast radius in your organization by applying the least privilege principle.”
To boost application security within the business, embracing a “shift-left security approach” in the development process is “essential”, says Mistry. “This entails incorporating security practices early in the software development lifecycle through developer training in secure coding and integrating security tools into the CI/CD pipeline.”
Additionally, implementing supply chain governance via a software bill of materials (SBOM) helps track components and vulnerabilities, ensuring transparency and security in third-party and open-source components, Mistry adds.
Watkins also advises a “DevSecOps” approach and continuous security integration, using software composition analysis, static application security testing and dynamic application security testing tooling alongside strict dependency management and container scanning. “This will ensure your code and the code in your supply chain is secure.”
Watkins highlights the importance of, “getting serious” on secrets management. “Even if your code is secrets free, Legit’s report noted that 36% of those surveyed had secrets posted elsewhere, such as logs, tickets, and documents.”
Meanwhile, organizations can consider a centralized API management strategy that considers all their integration, automation, data and security requirements, says Maya.
There are also specific measures that help to mitigate API security risks, Maya says. “First, a system must be in place to detect all APIs attached to a gateway and identify metadata, such as usage, to root out ‘zombie APIs’ or ‘shadow APIs’ flying under IT’s radar. Then, organizations must ensure they can check quality and security as APIs are introduced into an environment.”
Other best practices include strong API authentication and authorization controls, validating and sanitizing input data, and using security logging and monitoring to secure the data flow, says Maya. “Regular testing, patch management and software updates for APIs are also essential to maintain systems’ overall security and mitigate application security risk.”
