One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2665241 |
| Date de publication | 2021-04-19 10:00:00 (vue: 2021-04-19 10:05:46) |
| Titre | Digital transformation moves application security to the top of mind list! |
| Texte | Here are some insights from AVP, Cybersecurity Todd Waskelis as we discussed cybersecurity and application security in focus. How has COVID changed the game for application security? Shift Left, Shift Right, and Shift everywhere? 2020 had several significant events around application security, including the move of applications to the cloud, the expansion of remote workers using cloud accessed applications, and an increase in the number of vulnerabilities reported in code. I think if we look at the basic lifecycle of Design, Develop, Test, and Deployment/Maintenance, we tend to focus today on the latter two stages – Test and Maintenance. Traditionally we address those with one-time preproduction testing, which, when issues are discovered, push the cycle backward to development. But once deployed, those identified vulnerabilities become more difficult to address and require either investment in additional infrastructure to ensure controls or, more commonly, prolonged exposure of that vulnerability due to limited resources (time, money, people) to address the issue. Shifting left leads with the idea of ensuring security is at the table during the design discussions not only from a technology perspective but also from a regulatory/legislative view. Knowing what controls will need to be cared for, commensurate with the data being processed, stored, and transacted. It also drives awareness to the developers early that security is a critical component and highlights their responsibilities in that commitment. o Secondly, and just as critical, is integrating frequent and (when possible) automated security testing into the development stage. This reduces the number of vulnerabilities when we move to test, thereby increasing deployment speed and reducing the time to market. o A large portion of the vulnerabilities we see are specific to a custom code or to highly intricate custom configurations. In this way, almost every vulnerability detected in an application can be considered a zero-day vulnerability. o With these recent types of trends, we expect an increased focus on application security during development, that shift left will become more important in the coming year. o One example is cross-site scripting. It is a purely technical class of vulnerabilities that stems from improper coding of web pages, and plays a major part in large cybercrime campaigns, such as the Mage cart web skimming campaign. Other vulnerability types do not stem from a technical problem, but, rather, from a failure to recognize and enforce business logic which is where we need to rely on the involvement in the design phase. How is the importance of secure code in application security tie into digital trust, risk, and resilience? o Secure code is more critical today than ever before and that is driven by a number of things, remote workforce, cloud native applications, explosion of mobile devices, emerging technologies like 5G and really the fact that everything is becoming a connected endpoint. o This focus on application security is nothing new, however the threats have grown, the risks have greatly changed the attack surface is much larger now, it's not within the four walls of your enterprise. o The customer experience is moving more and more to purely digital out of convenience, and eventually, that will shift to be the consumer's expectation. If you fail just once and that Digital Trust between you and your client breaks down, you risk significant loss of business and brand loyalty, and market share. o To put this into perspective, let's simplify with a banking example. Someone walks into a branch office of Bank of Todd and robs the |
| Envoyé | Oui |
| Condensat | including secure someone 100 2020 2021 a zero accessed account additional address afterthought ago all almost also amongst and an application applications are around attack automated avp awareness backward bank banking banks base basic because become becoming been before being between branch brand break breaks business but campaign campaigns can cared cart changed checklist checks ciso/cso cisos/csos class client cloud code code is coding collaboration coming commensurate commitment commonly companies complex component concentration configurations connected considerable considered consumer's controls convenience covid creates critical cross custom customer customers cyberattacks cybercrime cybersecurity cycle data day demands deployed deployment deployment/maintenance design detected develop developers development devices difficult digital discovered discussed discussions down dramatically driven drives due during early either embedded emerging enable endpoint enforce engage ensure ensuring enterprise event events eventually ever every everything everywhere example expect expectation expects experience explosion exposure facilitate fact fail failure focus four frequent from game going greater greatly grown had happens has have here highlights highly how however idea identified impact impacted importance important impossible improper in application increase increased increasing increasingly individuals infrastructure initiatives' innovation insights integrating intricate investment involvement issue issues it's item just knowing large larger latter leads left let's levels lifecycle like likely limited list logic longer look lose loss loyalty mage maintenance major marginalized market may measurement might mind minimal mitigating mobile money more move moves moving much must native need never new nor not nothing now nowadays number office once one only opportunities options other out outset over pages part past people perspective phase plans plays portion possible preproduction present priorities prioritization prioritized probably problem processed processes prolonged purely push put rather reach really recent recognize recovering reduces reducing regulatory/legislative rely remain remains remote reported require resilience resources responsibilities right risk risks robbery robs same scripting secondly secure security see several share shift shifting shortage should significant simplify single site skimming some sophisticated specific speed stage stages stem stems stored streamline such surface switching table teams technical technologies technology tellers tend test testing than the expansion thereby these things think those threats tie time today todd ton top traditionally transacted transformation trends trust two types unless unprecedented using very view volumes vulnerabilities vulnerability walks walls waskelis way ways web what when where which will within workers workforce write year years yet your |
| Tags | Vulnerability Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.