Newsletter #11: Application Security 101 & Thoughts
There’s quite a lot of that happened this week, so it was kind of tough for me to pick a topic to discuss. One topic that I think is important for everyone to understand is application security.
Your application, especially a web application, is the front door into your environment. One vulnerability in your web application can allow an attacker into your network and even execute an arbitrary code (RCE). It essentially gives them incredible access to your network, like in the Equifax hack. That’s why a zero-trust network is important, but I’ve spoken about that before as well, though. Of course, patching your servers is essential!
So, where does one start in application security? I recommend starting with the OWASP top 10 list. There, you will find the ten most common categories of vulnerabilities that web applications suffer from. Address these, and you’ll be in a good position.
But how do you go about addressing application security vulnerabilities? Say you did a pen test and discovered that a page on your website was vulnerable to XSS. Well, you can fix that particular vulnerability. However, if you don’t address the underlying reason why that vulnerability existed, you’re allowing history to repeat itself. This is all part of the Secure Software Development Lifecycle (SSDLC).
Another portion of this is also remediating known vulnerabilities. What happens if you have a software vulnerability scanner in your pipeline, but vulnerabilities are being ignored and not remediated? This happens a lot. Establish with your engineering team a defined criteria of time to remediate vulnerabilities, as well as defining the criteria of vulnerabilities.
There is so much to application security. There are even whole books on the subject. For now, I just want to raise awareness on the topic.
PS. If you’re curious what other topics I considered for today, they were:
- Mobile Security
- Secrets Management
- AWS Account Structures
- User Authentication Best Practices
This article was previously posted in the Newsletter.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.