Overcoming the Challenges of AppSec Programs in a Remote Working Environment

Patrick Carey, Director of Product Marketing at Synopsys

In the 2020 Verizon Data Breach Investigations Report (DBIR), it was found that 43% of data breaches are linked to application vulnerabilities; a number that has more than doubled in comparison to the year prior. Considering recent events, including the COVID-19 outbreak and the Black Lives Matter movement, this situation will likely deteriorate as cybercriminals are quick to take advantage of heightened emotions to further their own personal agenda. Indeed, the last few weeks have seen nothing but reports of an intensification in cyberattacks.

What’s more, social distancing guidelines and the downturn in our economy today have no doubt introduced a great strain on business continuity. Yet, despite the cutback on resources for many, application security teams are expected to continue creating and maintaining software that is safe from the hands of bad actors. This is, no doubt, an intimidating task for most. So, what can be done?

The cybersecurity skills gap has been a chronic issue within the industry, making it difficult to find an adept security professional even on a good day. Indeed, according to a report by ISC^2, nearly two-thirds of organisations reported a shortage in cybersecurity staff. Today, this has only been exacerbated as travel restrictions and office closures impede any skills from being realised.

In order to overcome this hurdle, businesses may wish to consider managed application security testing services. This can help in alleviating some of the burden from employees and instead, outsource it to remote teams of experts as and when necessary. With this flexibility, organisations can also benefit from cost-efficiency.

The second important step to take is in ensuring that the existing team of developers are offered proper training in cybersecurity. These individuals make up the frontlines of the software development cycle. Yet, according to Forrester research, out of 40 distinct university computer science programs across the United States, not one requires students to partake in secure coding or secure application design courses.

As such, organisations are responsible for teaching these skills to software development teams. Though social distancing may temporarily put a stop to in-person training sessions, the world of online courses and resources allows for distance learning to be possible. Indeed, eLearning is useful in enabling employees to carefully work through vast amounts of content at a speed that suits them. This can then be paired with video conferencing which provides employees with an opportunity to ask questions or run through specific training material.

Both of these solutions are helpful in tackling the human-factor of Application Security programmes. However, organisations will also need to assess safeguarding measures against vulnerabilities in the applications themselves. In many cases, this might simply be a question of applying perimeter defence mechanisms such as web application firewalls (WAFs). For other organisations operating online, however, more needs to be done as web or mobile applications are themselves the perimeter.

According to the 2020 Open Source Security & Risk Analysis (OSSRA) report, such applications typically run on a foundation of open source code, 91% of which are either outdated or have been abandoned altogether. If organisations hope to avoid a similar conclusion as that of the Equifax breach in 2017, special care needs to be given to understanding the ins and outs of any one line of code; including what open source components exist within it. Running an audit and subsequently conducting vulnerability scans can do wonders in preventing the exposure of sensitive data and systems.

By strategically assisting application development teams with external support, investing in their security skillset as well as choosing to be aware of one’s open source portfolio, organisations can succeed in building excellent and secure software. Working remotely no longer has to be a barrier in achieving this.