5 security questions every developer must ask
By Harry Wan, CISSP, CCSK, Director Cloud Security Professional Services, Verizon Media, and Alex Daniel, CISSP, Senior Security Solutions Architect, Verizon Media
Development teams play a critical role in the security of internet-facing applications. While bad actors are the most significant threat these teams encounter, they also face internal challenges with implementing security fixes while balancing business, engineering and security interests. Here are five security questions that will improve awareness of your application security needs and reduce the risk of a web application security event impacting your business.
1. How can I identify and fix vulnerabilities in my application code?
Dynamic and static application security testing tools help find vulnerabilities in a web application. The DAST and SAST tools help find runtime weaknesses in different ways. DAST attempts to perform attacks (e.g., cross-site scripting) on the web application while SAST tools look for insecure practices in the source code (e.g., uninitialized variables). Using both in a continuous integration/continuous deployment (CI/CD) pipeline helps find flaws as part of the software development process before it ever reaches production.
Some source control repositories can integrate with a CI practice to run security scans with each change. The repository may require that the CI practice perform SAST as part of every change request. If the scans report security findings, the repository may prevent the change request from being approved. Teams that perform these scans manually or automatically can significantly reduce their security risk. Similarly, CD can include a DAST scan during the deployment of new code.
Scans may produce many results. It takes time to assess and prioritize them all, even with the help of a vulnerability management system. A web application firewall (WAF) enables you to take action immediately while your team prioritizes the vulnerabilities and applies fixes.
Additionally, running a DAST scan against a web app protected by a WAF can further improve the app’s overall security posture. Any attacks the WAF fails to stop can be identified by the security team for further fine-tuning. If the rules included with a WAF fail to mitigate a finding from the DAST scan, a custom WAF rule can be written and deployed to address the specific finding. The team no longer needs to wait for a security patch or an imminent attack to mitigate these threats.
2. How can I identify and fix vulnerabilities in my tech stack?
Modern web application technology stacks consist of many components such as front-end frameworks, web and database server and web development frameworks. Some of the components are extensible with a plug-in, extensions and add-ons. Having an inventory of each third-party component and understanding and applying critical security patches should be part of every application security program. However, critical patches sometimes cannot be applied without changes to the application code requiring a development sprint.
Software patching provides the organization more time to fix a known security vulnerability. Web applications teams should test and apply software patches regularly, such as monthly or whenever there’s a software release. Doing so reduces the time flaws exist and reduces the amount of time an attacker has to exploit it. The longer the weaknesses remain, the greater the likelihood malicious actors will exploit them.
A WAF empowers development teams to apply an immediate fix to prevent exploitation while giving breathing room to patch and update application code.
Although running a WAF in a staging or QA environment can give insight into whether a particular WAF configuration will prevent an attack, there is no substitute for running the WAF against live production web traffic. Learn how our Dual WAF mode features enable security teams to test new WAF profiles on production traffic, stop emerging threats and shrink the response time by up to 86%.
3. What is my app update/decommissioning process?
Applications built on older tech stacks should be updated or decommissioned. Many companies can no longer fix older application code if the tech stack isn’t being maintained. Balancing security with business needs may require an interim solution. Running a comprehensive DAST scan and a carefully tuned WAF with appropriate custom rules when needed enables you to safely run web apps until they are upgraded or decommissioned.
4. What is the impact of security events on server capacity?
Balancing server capacity and cloud costs is a tradeoff between customer experience and business needs. However, allocating server capacity to accommodate illegitimate users is not the best approach.
While there remains a threat of high-profile DDoS attacks, it’s much more common to see attacks in the 1 Gbps range. These high demand security events, along with automated scans or bots using your web application, may not make the news but may impact your customers’ experiences on your site.
Leveraging a cloud-based WAF can filter out much of this undesirable traffic before it impacts your web application, preserving server capacity for actual users.
5. Are there compliance requirements I need to adhere to?
Depending on your industry and application type, your application may need to conform to industry regulations. If your site processes credit card payments, then it likely has to be PCI compliant. Your company may need to comply with SOC 2 Type 2 because of the sensitive nature of the data your application uses and retains. Many of these regulations require the use of a WAF.
Even when no industry regulations are applicable, you might want to consider following industry best practices and guidelines. You can use the Center for Internet Security controls or the AWS Well-Architected Framework. Both of these recommend using a WAF because it can inspect and filter malicious web traffic.
Have more questions?
Securing your web application is an important task that requires balancing security, engineering and business interests. At times these interests conflict, making it challenging for developers to take action.
A WAF can help close this gap while the team prioritizes threats and implements fixes into your CI/CD pipeline. Our powerful, cost-effective WAF Insights has lowered the barrier to WAF adoption. Please fill out the form below to get all your questions about hardening your web security and our WAF insights answered.