If you don’t work in tech or even if you’re not a tech enthusiast, you may be asking yourself: what exactly is application security? Application security is the name given to the process of building, launching and maintaining the applications secure – always through the best practices applied to development.
You can also listen to the audio version of this article:
This occurs, to a large extent, during the application development process – but it must be continued by using tools and strategies once the application has already been implemented. After all, contrary to what many think, application security is not just about testing.
At Conviso, we work with the idea of application security on an ongoing basis. We believe that it must become part of the culture of a company, through training and good practices.
But what is application security for?
The world now revolves around applications for carrying out all kinds of daily tasks, such as banking and online shopping. And all of these applications are created by humans.
Therefore, the idea behind application security is to prevent vulnerabilities from exposing data or allowing access to system functionality to people with malicious intent.
It is important to note that there are no completely invulnerable applications. Any and all applications can be the target of intruders – some more easily than others – which is why appsec is so necessary.
Important data about application security
According to Grand View Research, the global application security market was estimated at $ 4.2 billion in 2019 and is expected to close at $ 4.9 billion in 2020. In other words: we are not talking about a small market.
In addition, studies by Gartner show that 75% of attacks seek to exploit application-level vulnerabilities. In addition to the headache, as well as the financial and economic impacts, an attack on an application can trigger a huge crisis in a company.
It’s an obligation of each company to protect its customers’ data in the best possible way. With the General Data Protection Law, the matter becomes even more serious and liable to sanctions in the case of negligence.
However, at Conviso we defend that application security should be an investment made not only to comply with laws and regulations – but mainly for the sake of ethics and good practices, and of course – as a way of offering the best services and safest products for the consumer.
After all, ensuring application security means investing not only in protection – but also in the company’s reputation and longevity. And this cultural issue involves the Shift-Left concept.
The Shift – Left concept
If you have studied a little about Application Security, you have certainly come across the chart above. In the software development process, it was established that the implementation flow follows a horizontal orientation – as in the drawing – from left to right.
As we can see in the image, the application planning is located at the left of the chart. And on the right is where the application is operationalized and monitored.
But what does the shift-left concept means? As we can see in the image, we have about eight steps in the CI / CD, and security tests usually start to be carried out in the last 2 steps (Operations and Monitoring).
What the shift-left suggests is that, instead of leaving AppSec only for the end of development, we should “pull” it to the left of the chart, starting the development process in a more structured way when we think about application security – that is, itapplying it from the very beginning of the process!
When did application security arise?
Ensuring information security, in general, is nothing new. However, application security came along with applications – in a much simpler way than we know nowadays, of course – and has been developing ever since. And this is far less recent than it may seem.
It was during the Second World War that the first major “hacker” attack took place. It was with the help of Bombe, a tool created by the Polish army to decipher data recorded in secret codes by Germany, who actually used a tool ironically called Enigma.
Perhaps our false idea of application security as something very recent comes from the fact that computers became accessible to the average user only a few decades ago. But industries that deal with highly sensitive information, such as the military, have being using computers for decades before that, and it was in the 1960s that information security began to see a rapid growth.
This decade, in fact, was very important for the AppSec area. After all, until the early 1960s, password storage, for example, occurred very simply and with highly vulnerable access controls. It was in the late 1960s that the area of information security began to grow and gain more importance.
However, in the 1970s and most of the 1980s, code security was not specifically considered a risk. At that time, most of a computer’s risks revolved around the physical integrity of the machine – they were very expensive, so they needed to be protected from theft and more obvious threats, such as access to private documents.
Application security in the 2000s
Of course, we had important facts in the following decades, which greatly influenced the appsec market – the first version of HTTPS appeared in 1994, for example. A year earlier, in 1993, software called a priori SATAN – and later renamed SANTA – was one of the first vulnerability scanning software to be registered.
However, in the early 2000s, when computers and cell phones became much more accessible to the population, Application Security started to look more as we know it today. That’s when we started to see the birth of the first companies and tools focused on AppSec, as well as AppSec being treated as a business.
In 2001, OWASP was founded, the Open Web Application Security Project – an institution that leads many of the standards presented for application security – and what we follow here at Conviso.
In 2004 the PCI (Payment Card Industry) launched the first Data Security Standard (PCI-DSS), setting minimum security standards for handling credit card data.
How is the Application Security market today?
Although the application security market has developed a lot, there is still a long way to go – especially when it comes to seeing appsec as a culture to be implemented, and not just as a combo of tools to be acquired. And this is a global problem.
At Conviso, we always emphasize that AppSec is not just limited to code or testing practice. On the road to implementing a safety culture, there are a number of other elements involved in the process. And this culture must be fostered and disseminated throughout the company.
Developers need to be aware of security issues, but they also need to be continuously trained in updated practices and technologies, so that security becomes present at all stages of development.