Application security is the process of finding and fixing security vulnerabilities in applications for enhancing their security.

With application security, the goal is to prevent code or data within applications from getting hacked or stolen. Though this process was hardly popular a decade ago, application security has become a crucial part of today’s software development lifecycle.

Nowadays, it has become one of the top priorities for businesses, thanks to the ever-changing and ever-growing digital ecosystem.

Also, it has become one of the major challenges for software developers and security professionals since today’s software have become more complex than ever and cybercriminals are continuously improving their efforts and skills to find vulnerabilities and compromise applications.

Why is application security the top priority cybersecurity work for businesses? According to Verizon’s 2020 Data Breach Investigations Report, web applications top the list of hacking vectors used in the popular breaches in 2020.

That is, the report confirms that cybercriminals mostly target applications’ vulnerabilities to compromise an organization’s networks and systems and wreak havoc on their target organization. Moreover, the report predicts that this trend of attackers targeting web application vulnerabilities is not going away anytime soon. S

What made application security so lucrative to attackers?

According to The Increasing Risk to Enterprise Applications by Ponemon Institute, “Investment in application security is not commensurate with the risk. An average of 16 percent of the overall IT budget is dedicated to data protection and security. There is a significant gap between the level of application risk (33 percent of total risk) and what companies are spending to protect their applications (20 percent of annual spending in IT security). However, the level of risk to networks is much lower (18 percent) than the investment in network security (35 percent),” states the report about the investment vs. risk ratio of application security.

That means organizations are not doing enough to mitigate application security risks. The report states that 74 percent of respondents reported that it is difficult to prevent online attacks targeting application vulnerabilities because their organizations are unable to monitor and prevent attacks at the application level, unfortunately. And one of its major reasons is the shift to cloud computing, which resulted in the loss of control and visibility over business-critical apps, as reported by 81 percent of respondents. Moreover, the information technology industry quickly adopted remote working in 2020 due to COVID-19, which left decision-makers with no to little time for performing the security planning.

Nowadays, organizations are not restricted to one cloud provider, but they mostly opt for a multi-cloud architecture for their mission-critical applications.

The reason being this architecture provides better reliability and speed for their applications, however, it hampers its security because of its complexity. Also, the popularity of mobile applications has skyrocketed in recent years, making organizations of all sizes to launch mobile versions of their applications, and thus providing more attack surface to the hackers and increasing the probability of attacks.

How to maintain application security across many platforms?

First of all, organizations must follow application security best practices starting with the industry-leading practices around multi-cloud security. They must synchronize their policies and settings across their cloud setups, use multiple security policies (one per application or service).

Automate as much as possible, choose the right security tools, configure a monitoring strategy to keep track of all cloud setups, opt for efficient compliance tools, simplify security by bringing all controls under a single dashboard, and minimize point security solutions that do not integrate with each other or the all-in-one centralized dashboard.

Secondly, organizations should understand the threats of APIs. They must perform regular security testing of their APIs, monitor third-party applications using their APIs, follow the industry best practices for APIs, add solid support for authentication and authorization, double-secure the data at the backend like databases and data lakes, and opt for security tools and gateways for APIs.

With regular security testing of the codebase as well as third-party applications and libraries, organizations can decrease the chances of attacks on their apps.

Thirdly, organizations must secure their mobile applications from the ground up by writing secure code and encrypting all data on mobile devices.

As with any software, developers must cautiously utilize third-party libraries as open-source libraries can be extremely insecure and vulnerable, providing access to the apps in the hands of attackers, deploy proper authorization and authentication along with session handling, utilize the principle of least privilege, and opt for the best cryptography and security tools and techniques along with regular testing.

Lastly, organizations should understand the risk of bots.

In recent years, hackers have gained unprecedented resources for compromising millions if not billions of devices to perform their bidding. Though web application firewalls may offer crucial security capabilities to detect and prevent complex attacks, they are not enough against bot traffic. That is why businesses must opt for bot management tools to build a robust defense posture against bots and attacks like DDoS.

For March 2021, I’m lucky enough to be doing two different events around Security, and they’re both free to attend!

First is for Microsoft Ignite where on Thursday, March 4|11:30 AM – 12:00 PM ACDT I’ll be in the event Table Talk: Security Best (and Worst) Practices where we’ll talk for half an hour about what bad security practices we hear and see, and how to make them better. That session was 100% full last time I checked, but you might get in if someone drops out, so have a look. There’s also a huge amount of other Microsoft Ignite content that isn’t people limited, so register now if you haven’t already

Then, on March 11, 2021 10:30 AM – 12:00 PM CET (convert to your local time by adding your city here) I’ll be in another event being run by Acronis:

A New Playbook to Protect Your Users from Cyberthreats in 2021

The online event is free, and I’ll be a part of the round table / panel discussion on “Reality Check. Why SMBs are Targets”.

Looking forward to that one too, as it’s my first time chatting with the Acronis team and I’m sure they’ll have some great discussion points for us.

I even went out and bought a Blue Yeti USB Microphone for that proper speaker experience, rather than wearing a gaming headset :)

Since Covid hit, everyone has had to move all these events on line. What I’ve personally realised as both an attendee and presenter, is that the round table style is generally a lot more enjoyable to both be a part of, and listen to. It’s like a podcast really, with people talking about the topics they’re passionate about. Sure, there’s a general idea on what dot points will be discussed, but beyond that, it’s people talking off the top of their head on things they know, and bouncing off each other.

This revelation came to me at the end of 2020, when we did a user group round table on ‘How to stay up to date with Microsoft’ – I co-run the Adelaide Microsoft IT Pro Community, and had a great time chatting with Andrew, Brett, and Tiffany.

I’m really looking forward to both of these events, and hopefully get a chance to do more in the future!