The importance of AppSec in Digital Transformation
Digital Transformation: The Beginning
To the youngest, digital transformation may seem like a reality that has always been present.
But for those who remember the reality of business before the 2000s probably remember a very strong turning point for the business.
The thought of buying things over the Internet, check your accounts, exchanging images and music: all of this has characterized a period of revolutionary change and has totally guided the way of thinking business.
This movement, which later came to be called Digital Transformation, consisted of technology used for change and improvement in the way business is thought.
What is Business Transformation?
Summing up, we can say that Digital Transformation is the use of digital technologies in all business areas, mainly modifying the business to deliver more value to clients.
It is important to say that Digital Transformation implies a cultural change, which generates a necessity for constant internal adjustments.
As for cultural changes, James Bilefield shows us that “Culture is the most difficult part to change in an organization”, stating the idea that big changes must be followed by cultural changes.
As we have seen, digital transformation is not something new, this process is around since the first moments of big digital companies in the early 2000s.
On this interesting article published by the Wall Street Journal in 2011, Marc Andreessen mentioned: “software is eating the world” referring to changes that were happening in a quick way.
Main changes in Digital Transformation
If we understand that there were many changes caused by Digital Transformation introduced in the market, we have to focus on those that really concern the world of AppSec.
At the beginning of the digital movement, executives and technicians were concerned about how they would protect their physical boundaries.
This behavior was a reproduction of the model adopted by the great nations, which placed protective barriers to have little interference in their system from the world outside.
However, if we look at the current digital scenario, this kind of behavior is no longer an incompatible reality.
Digital Transformation today is much more closely linked to a complex set of actions that must be done in various sectors of the company to keep the business active.
In the beginning, security was basically a large area of technicians, focused almost exclusively on network protection and its physical boundaries. That is, little worried about software.
What we understand today is that software, as a point of concern and even as a surface attack, has already overcome security issues in network structure, as Verizon’s 2018 report on data leakage investigations showed us.
This is not to say that we should not worry about security on a structural level. But priorities have changed, making software protection more visible.
Even these changes are quite predictable: software today is at the heart of companies’ operations that have embraced Digital Transformation.
Application Security at Digital Transformation
We know that a software failure can cause companies to suffer huge losses.
Legislation, Standards, and Regulations are emerging and updating every day, in different ways in many countries.
This has become a reality since discussions have turned to data protection of digital system users, after all, they are the main victims of these failures.
From a development point of view, Digital Transformation has brought major changes and new ways of thinking about application security.
New methodologies were created, new processes developed, and all aimed at delivering safer digital products to the final consumer.
However, even with these evolutions, we have to understand that changes can also bring unfavorable points.
The market has become increasingly demanding and faster, and this has had a huge impact on software production.
With the agility attributed to software production today, even with many methodologies showing us best practices, the development areas are basically bound to skip steps.
This optimization in the software production process can often disregard important steps to secure application development, and this needs to be reviewed with some urgency.
Challenges of this change
Although many have already realized that lack of attention to software development can lead the application to a risk level, few are really looking for solutions in this process.
We strongly believe that we need to help the market see software development as one of the first barriers that must be raised when it comes to security.
If we imagine that the vast majority of businesses today are on the Internet, and these businesses are supported by applications exposed directly to it, securing those same applications is an urgent mission.
How to minimize the risks?
We already know that digital transformation is already happening and it is useless trying to stop it. At this point, the best procedure is to be aware that these improvements do not carry more risk than necessary.
But why isn’t this being done the right way?
In order for digital transformation to happen in a safe way within companies, we believe some points should be noted, which will be listed below:
1. Know your exposure level
Many companies don’t have a clear view of how much they are exposed to. This view is further reinforced by the misconception of protecting the application itself, we know from experience that this is not true.
In a survey conducted by the Ponemon Institute, we can see that there is a big difference when we question technical and non-technical managers about their impressions of the real security situation in their business.
For non-technical managers, application-related security is being well-conducted and vulnerability issues in their applications are small and irrelevant.
On the other hand, when the same question is posed to the technical managers, we can see that the understanding is completely different because they cannot say with property how safe their applications are.
If we only had this data in the survey, it would be a great warning point. But the research points out to more cybersecurity data that makes reading the entire document worthwhile.
2. Track all changes in the development process
By its changeable essence, Digital Transformation requires software developers to constantly evolve and quickly make new solutions available.
These factors alone are significant enough to make it difficult to produce software with the right planning, resources, and time to have a safe result.
The manner of speed in software production sometimes leads companies to look for shortcuts using the latest development methodologies. They may even use third-party software that often does not receive adequate attention to code security.
This procedure will only draw attention when the software that already is in production and has vulnerabilities end up been affected by data leakage. In both cases, the scenario is quite unfavorable.
The adoption of methodologies such as DevOps has generated great adherence by companies based on digital products.
However, the method may end up adding negative points as well, even if adopting continuous development, basic safety points are set aside in detriment of product delivery speed.
Adopting a well-structured process that does not impact delivery time, creating a line of production combined with a constant review, seems to be a good solution.
Therefore, we believe that the Continuous Applications Security process can be one of the foundations that will bring more security to the process of digital change companies are looking for.
3. Improve Application Security
We believe that it is very important to take a careful look in order to improve the development process, but for that, we need to take into consideration some points that will ensure a less demanding transition to this evolution.
3.1 Invest in training
It is essential to provide the necessary knowledge to the development teams. Techniques evolve, so is technology, which is why we have to keep a constant schedule of training aligned with best practices in the market.
This is the best way to ensure that your team of developers are in contact with the knowledge about the necessary precautions needed when it comes to application security and secure development.
Here are some good examples that constant training can bring better results.
You may also invest in security leaders training within Development teams by hiring an external backup. Security Champions are professionals who help foster the security culture from the inside out in companies. We approach this subject in this article.
Based on the previous research cited by Ponemon Institute, 60% of technical executives say they understood that relying on tool evolution and the use of artificial intelligence can reduce the exposure of their products.
It is interesting to note that even companies that have such a degree of understanding, have a periodic training schedule. That’s right even considering training offered by the company or based on digitally content.
Creating and executing training programs can be a great asset for companies.
3.2 Test the structures regularly
A second point, but not least important is the understanding of constant testing in our structure and on our application.
Because periodical testing can bring a clearer vision to the company on how the structure of their applications is.
It is important to state that tests can be executed either by trained internal analysts or by outsourced companies, specialized in this type of security validation.
We can say that another great benefit of making these systematic tests is the construction of a database that is able to help identify problems mainly on developers’ knowledge.
Of course, these precautions alone will not solve all problems of the development team on their own, but they already help significantly in building a better security scenario.
We believe these are key points that must be observed for an internal security movement to begin and this initial movement can be an important support for the digital transformation of companies. We need to understand that the evolution of a business model can be conducted to ensure that all aspects of the business have evolved together.
We can’t assume that a business evolution must be driven by one area and the others have to follow, we believe that a collective approach, especially looking more closely at Application Security, can bring a much more vigorous and lasting result.