Maksim Kabakou - Fotolia

Security Think Tank: Gap, risk and business impact analysis key to application security

What should organisations be doing to address application layer attacks and reduce the likelihood of a breach through this type of attack?

To address and protect against application layer attacks, it is imperative that organisations understand how their applications are built and are mindful of what developers are doing as they focus on the interface, usability and user experience.

While interface, usability and user experience are important factors, developers must follow a “White Book” on coding that considers security measures such as where logs are kept, how access control is managed and how, in the case of a breach, investigators can trace back what happened.

Of course, the reality of the marketplace is that organisations and developers are increasingly pushed to bring new features and applications to market (particularly with disciplines known as “Time-to-Market” and “Time-to-Value”).

This focus on speed makes features and functionality the priority for development teams and subsequently security controls are left behind, opening the door for vulnerabilities and, consequentially, attacks.

To reduce the likelihood of an attack, organisations have to enforce the monitoring function and keep in mind that even in an outsourced environment, they keep the responsibility of providing a robust and solid app – a secure ecosystem for employees and consumers alike.

It is critical to enforce the testing dimension too, so that companies are sure of the integrity of the app before it reaches a community. We must not forget the different environments, such as development-test-pre/production-production, are still the path to follow – particularly in a cloud-based world, where technology is not the problem and development teams can create almost any environment and have any type of platform ready to use in a matter of minutes.

Looking beyond development, application layer attacks can be avoided with the proper gap analysis, risk assessments and business impact analysis (BIA). Following best practices is fundamental in keeping attacks at a distance and closing the holes on cloud applications so data is not breached in any system or on any platform.

Fortunately, there is technology available to help with these tasks. In an epoch where workloads can be uploaded in several containers using microservices, it is critical that we protect and defend cloud workloads and make sure that they contain no malware – and that code has not been touched.

Solutions such as cloud workload protection, working with providers such as Microsoft’s Azure, Google, Amazon and Docker, amongst others, have to be part of the equation.

Read more on Application security and coding requirements