.
Application Security

Do IT Right The First Time (3 Application Security Tips)

By October 7, 2020 One Comment

This post would not be complete without first acknowledging the incredible people who are on the frontlines of the Coronavirus Pandemic. We thank you and appreciate your incredible commitment to the safety, health, and wellbeing of those around you. 

We hate to be the bringers of bad news. And here it is: a single overlooked vulnerability can cost a user millions of hard-won dollars, and even worse, the loss of reputation and trust among its various publics. In some cases, a single breach can damage public trust in an entire industry or process.

Creating, developing and building a secure application doesn’t give us much room for error. Often, there are no second chances. So it needs to be right the first time.

The Common Sense Approach May Not Always Be the Obvious One.

Companies that can afford to often solve the problem of application security by throwing money at it. Often it’s after the damage is done. The news is rife with stories about how this or that vulnerability has been discovered – or worse, exploited – and how much it’s costing the affected organization. It’s not cheap: a single data breach costs the average company $8.19 million. Companies that can afford that pay the price and move on. Companies that can’t, fold. 

But the silver lining (yes, there is one) is that it is possible to do it right. The first time. Prevention, after all, is better than cure. Here are three simple, practical and proactive ways that support the development of safe and secure applications. 

1. Think like a cybercriminal.

We’re not suggesting that you become one. We’re saying think like one. Wanna build a mousetrap? Think like a mouse. What’s a cybercriminal’s motivation? Is it money, or fame? Revenge? Sheer boredom? Something else altogether? Think about it: between mid-March and the end of April 2020, 30 million Americans filed unemployment claims. That’s a lot of people with little or nothing to do, and who still have ongoing expenses. And there are a lot of very smart people in that crowd. We’re not talking about comic-book supervillains with superpowers who are out to destroy the world, just because. These are real human beings, with real abilities and capabilities. And real reasons.

Application Security Lessons

In some ways, it’s like a chess-match. We need to understand our opponents so we can block their attempts to attack us. It takes a deep understanding of the object of the game, the possible pathways inherent to the game, and the ways those pathways may be used. And it’s not just our opponents’ very next move. It’s the move after that, and the one(s) after that. But all it takes is a break in our defenses….

And check-mate. 

2. Test, test, and test the security of every application. Then test again.

As the mouse gets better, build a better mousetrap. Or better anti-mouse protection. Mice don’t sit around waiting for defenses to come down; they look for ‘em. Similarly, cybercriminals don’t sit around waiting for vulnerabilities to come to them. Knowing how a cybercriminal thinks means you know that they’re actively exploring vulnerabilities; they’re hunting for them, and finding ways to get around and through an organization’s  defenses. And when they find a way, they’re in. One happy cybercriminal later, a company is in the hole, and heavy consequences follow. 

Exhaustive testing and evaluation provides an honest, ongoing look at the safety and security of an application throughout its development and maintenance. Once we know of a vulnerability’s existence, we can resolve it. Ignorance, in this case, is anything but bliss. Make no mistake: what we don’t know can hurt us. And it often will. 

But while it’s true that no application is 100% secure against 100% of cyberattacks 100% of the time, testing and assessment goes a very long way in keeping precious data safe. If you know how and where those pesky mouses (sic) are getting in, you also know how to keep them out. Cheese/data is safe, everyone is happy. 

Keep testing.

3. Question the integrity of the apps. Constantly.

Assume the cybercriminal is always trying to get in. Always. Again, it’s the cyber chess match and the invasion of the cybermouses trying to get at the figurative cheese-data. 

We want to be clear on this point: Being proactive doesn’t mean doubting the integrity of our product(s). But merely expecting that our application developers know how to build security into the finished product(s) is foolhardy. Instead, the smart thing is inspecting. Inspecting the integrity of our applications ongoingly makes sure that we provide our customers and clients with the safest possible applications for their needs. In a way this is customer service at its finest. Likely as not, our customers and clients will never know about the work that went into securing the applications they have purchased. Unhappy cybermouse equals happy customers and clients. 

We’re okay with that. 

More Easily Said Than Done? Not Necessarily.

So how can we hit all the points above? It’s simple: in a word, training. 

When application developers receive effective security training…

  • They understand that identifying and resolving vulnerabilities is a key component of a company’s success, and that they are a vital part of that success. 
  • They learn how to create applications that complete the necessary tasks while keeping an organization safe and secure from cyber attacks.
  • They know how to inspect their work from the get-go, always ensuring that apps work as intended. 

In essence, training prevents our developers from getting it ‘almost-right.’ It takes chance and hope out of the equation, and provides peace of mind. 

Do the smart thing. Do IT Right the First Time. 

Now, more than ever, well-informed, committed action is crucial. Maybe there’s no ‘silver bullet’ against all cyber attacks. But application security training most certainly provides a measure of protection that would not exist without it. We can train your developers to Do IT Right the First Time, and make the difference for you.

Joe Copeland

Joe Copeland

Joe is a KMI Academy lead as well as an SEO specialist for KMI Learning. He is also a certified Master Trainer for PowerLift Training a material handling safety training program.