Application Security is actually both a long standing foundation of cyber-security and a new frontier. For most organizations, some aspects of application security assurance have always been prioritized as a fundamental part of a mature security posture. For instance, penetration testing of web applications has been a both a pure security, as well as a compliance requirement, in the last 15 years (since web applications became interactive). Nevertheless, application security assurance is also a new frontier in the sense that there is still a need for more robust adoption of less understood application security practices, such as secure design and architecture, secure coding standards, and security code review. When combined with the trend of organizations increasingly hosting applications in public cloud infrastructures, it’s truly a new set of challenges.
In theory, the same security practices and standards apply — whether applications are hosted in traditional, on-premise systems or cloud environments. In practice, however, many complexities arise, requiring both the rigor of subject matter expertise as well as the ability to make risk decisions based on specific application scenarios. For instance, there will be times when a particular infrastructure security component, such as a web application firewall, will be made more relevant due to vulnerabilities inherent in a given architecture or development framework. For example, in the case of application languages or frameworks which may not allow the segregation of the presentation and application layers, it may be all the more important to monitor activity via a web application firewall.
For technology decision makers, it is a requirement to demonstrate a projected Return On Investment (ROI) from expenditures on people, process and tools required for any technology activity, and perhaps that much more so for security activities. Luckily, today we have well-established documentation of the minimal expenditure required to both find and remediate vulnerabilities at the design or code review phase of the Systems Development Lifecycle (SDLC). The cost to fix and remediate vulnerabilities sharply increases at each subsequent stage in the SDLC, and the tangible and intangible costs of an actual breach are the most expensive.
Technology organizations are rightly strengthening their cybersecurity incident detection and response capabilities. As they do, they are seeing web application vulnerabilities continuing to become more and more prominent as exploit vectors for both external and internal bad actors. Remediating web vulnerabilities requires careful coordination between infrastructure and development teams. This coordination is further complicated by the shared management of applications with cloud providers, geographically dispersed development teams, iterative development methodologies (such as Agile), and varying length release and change management cycles.
Coordinating web application security and infrastructure remediations owned by multiple stakeholders, and ensuring that all parties concerned understand the potential impacts of uncorrected vulnerabilities is critical. Security awareness enables teams to collaboratively stakeholders be able to make sound risk, and prioritization decisions based on an understanding of the latest vulnerabilities and emerging threats Getting to this level of maturity is a costly challenge for technology leaders. While industry thought-leadership organizations, such as the Open Web Application Security Project (OWASP), offer invaluable guidelines about web application development best practices, subject matter expertise that is grounded in practical experience is what allows security organizations to facilitate thoughtful risk reduction decisions across the enterprise.
In the Dell Application Security Services practice, we take great pride in helping technology leaders and development organizations make just these sorts of informed decisions. Dell Application Security has both depth and breadth of experience. Our subject matter experts pride themselves on their intellectual curiosity. We constantly study to understand the changing cybersecurity threat landscape and offer our customers the best advice possible.
Dell AEGIS, our Application Security as a Service offering, provides a portal for on-demand security testing. And our managed services provide the human subject matter expertise to interpret testing results in a way that takes both our customers’ organizational contexts and the threat landscape into consideration. Our managed services can be leveraged as either a full SDLC assessment and advisory offering or as a menu of ala carte services to add missing security components to the SDLC. Dell AEGIS takes a comprehensive approach to security, encouraging developer, DevOps, and infrastructure teams to collaborate to address vulnerabilities holistically as early in the lifecycle as possible.
Dell AEGIS leverages the depth and breadth of Dell’s security expertise, offering contextual guidance based on knowledge of emerging threats, the customer’s application architecture and infrastructure, as well as the frameworks and regulatory requirements relevant to the customer’s organization. When combined with Dell Managed Application Security Services, Dell AEGIS provides a cost-effective way for technology leaders to address a complex and critical set of problems.