free counter

Security Think Tank: Adding trust to AppSec and DevSecOps

When building in trust and assurance into app development through standards, it really is critically important never to stifle innovation


  • Rowland Johnson

Published: 09 Sep 2022

App stores have an implied degree of trust connected with them, meaning we rarely browse the small print in the conditions and terms. You can easily assume that because they’re hosted by way of a well-known brand that the apps should be secure, robust and reputable.

During many instances, that is true, some apps are either consciously or unconsciously malicious. Apps can harvest user information, integrate, and share data with other apps and providers, plus they can contain vulnerabilities that permit them to be directly exploited.

Technology and cyber are complex, so it’s unrealistic to anticipate a lot of people to be up-to-date with the most recent capabilities, processes and security concerns. Whenever a parent is asked by the youngster, MAY I download this app to my phone?, there must be a kind of signalling to greatly help them make the best decision. All that anyone has today is information regarding the way the app looks, the name of the app and reviews. This simply isnt enough.

Innovation versus security

While security is paramount, it is necessary never to discourage innovation. It really is fantastic that anyone can access a simple coding package to create a credit card applicatoin. However, a method to build in increased trust and assurance is necessary. There must be the very least group of standards and requirements to make sure apps are fit for purpose and cyber secure. While this responsibility rests with the app developer, in addition, it must be assessed, assured and signposted by other parties to make sure it has meaning to the buyer of the app.

The cyber security industry is doing cyber security testing and assurance by means of penetration testing and code review for several years. Most well-known apps have passed multiple rounds of assessment to check on both functionality and cyber security. But although these applications are generally assessed, there is absolutely no consistency. Some organisations depend on tools, some have a methodology, some undertake higher level assessment, plus some an intensive root and branch deep dive.

Phrases such as for example security review, application review, penetration ensure that you technical assurance activity are thrown about, but these dont have a frequent meaning. Consequently, security assessments are hugely inconsistent and be determined by factors like the assessor, the tool, the methodology, enough time applied and also the entire year performed.

Clearly, an assessment is preferable to no assessment, however the industry must pull together to create a thing that is consistent, repeatable, risk based and scalable. A vendor or tool from security company A will be able to undertake exactly the same tests as company B, with a frequent methodology to attain exactly the same conclusion. And not just do the outcomes have to be consistent, they have to be presented in a coherent and scalable way.

We should make application security scalable. Which means identifying the very least group of standards and requirements to provide against. We should also develop a complementary reporting framework that’s hyper-calable and readable by applicationprogramming interfaces (APIs) and machines. This must clearly identify what has been assessed, what has been identified, and what the conclusions or outcomes are.

The application form development and cyber security industries have to work together to attain these goals. Only by concentrating on standards and leveraging consistent reporting frameworks will we have the ability to build more consistent and pervasive cyber assurance outcomes.

Desire to isn’t for the organisations providing application security to reduce identities or their value add. To be able to present results in a variety of different approaches, based on the application form, the audience and the scope it’s still possible, for instance. However, the very least group of reporting controls and standards consistent across all testing platforms, processes and frameworks is vital.

This process will drive both improvement and consistency across applications. However, the large digital marketplaces have to inform consumers when a credit card applicatoin is secure. There are many different ways that could possibly be achieved. At most basic, a thumbs up/thumbs down pays to. Alternatively, marketplaces could create a more granular rating system.

Enough time for industry to do something is currently.

Around the world, governments and regulators are considering digital marketplaces to recognize methods to build better and much more consistent security practices. Although regulation might not be coming today, it really is probable that you will see increased guidance and recommendations issued to digital marketplaces with the intent of driving improvement.

Within an interconnected and global supply chain, this may bring about governments providing different requirements. This, subsequently, could exacerbate inconsistency and deviations from the intended goals of standardisation. Hence, it is within the gift of industry to create a solution to the problem itself. Through collaboration, engagement and dialogue, industry can collectively build standards, deliver consistent assessments, and offer consistent signposting to consumers on the efficacy of an applications security posture.

Crest recently formed a relationship with the Open Web Application Security Project (OWASP) and launched its OWASP Verification Standard (OVS) for users getting into this journey. More info can be acquired here.

Rowland Johnson took over as president of Crest in 2021, having previously worked because the organisations international development director. He once was founder and CEO of Nettitude, a provider of penetration testing, compliance and risk management services.

Read more on Application security and coding requirements

Read More

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker