Wednesday October 21, 2020

Everyday apps need security to be built in from the outset

Apps are being developed, released and updated faster than ever before, with the security element often struggling to keep up

17th October, 2020
Michael Conway, director, Renaissance

It’s hard to state just how crucial apps are to our day-to-day lives. From work to play and everything else in-between, apps are the format in which we digest and interact with services.

All follow the same format. Easy on the front end for anyone to use yet hiding behind in the back end are serious complexities.

Even with expectations to deliver more than ever, apps are developed, released, and updated faster than ever now, and while the speed of development has increased, the security element has struggled to keep up.

It’s also one of the most popular areas for someone to attack. In the mobile space alone, there are 5.19 billion mobile phone users, with 90 percent of their time spent on apps.

This is great for companies developing apps, but it makes it a haven for attackers as many of them contain sensitive data which is valuable.

It’s a major challenge for those in the AppSec (Application Security) space and having security in from the moment development starts is a necessity.

“The timeline for a completed app to be delivered to the marketplace is shortening,” said Renaissance director Michael Conway. “What that means is you need to be building security in, right throughout the whole process.”

The ever-shrinking timeframe between development and release as well as security’s struggles to keep up is something the panel’s lead facilitator Uleska CEO Gary Robinson has noticed during his 20+ years in the industry.

“Software, especially over the last five years, has really accelerated but security hasn’t,” he said. “A lot of the talk in the world of security and software is all about how we can get these security assurance checks to fit into that fast-paced cycle model.”

“Almost a type of cultural shift has happened in software engineering where the devs are now in charge. Security is usually the kid who is telling everyone what they can’t do and is never liked.”

In a way, security can be seen as the spoilsport telling everyone what they can’t do and getting in the way of fun stuff but its inclusion is essential. No developer can be knowledgeable about every area of development and even if they were, both regulators and customers would require assurances that this is the case.

It’s why compliance with the likes of GDPR and ISO 27001 is so essential for developers to show.

In Conway’s view of AppSec development, application libraries in the cloud are relied on to carry out routines in apps but also come with vulnerabilities too.

What has resulted is the development of tools to help dovetail both app and security development, so that both are running in tandem.

“These innovative tools are identifying challenges and vulnerabilities during the application development lifecycle so that when the app is complete, it’s already secure."

That element of agility is the big challenge that all businesses face when they’re developing or updating apps. The reasons for doing so usually boil down to commercial reasons and there are stakeholders who are determined to see something released as soon as possible.

That means the pressure on developers is on just releasing them, but it’s important that they release a secure version otherwise it will create major problems further down the line. With cloud very much changing the game with speed and updates, there’s a greater reliance on automated tools for specific processes.

“With automated checks, you can’t check everything, but you can give yourself a level of comfort,” said Robinson. “You can say ‘there’s a lot of low hanging fruit around here but I’m protected against it’ and that’s the first thing that hackers will try.”

“Look at British Airways, look at EasyJet, look at the TalkTalk hack, or the Equifax hack. They’re all things that common tools can find and alert you to but if you don’t have them running, you’re not getting alerted.”

Those taking part in the panel discussion are best in breed vendors who offer checks and balances to ensure app security is up to scratch.

The first is Veracode which helps manage an entire app security program in a single platform. By providing app security automation, integration, and collaboration it ensures that security assessments and vulnerability remediations are completed during points throughout the development cycle.

The other is Checkmarx which specialises in application security testing and ensures that security is inseparable from software development. Through a comprehensive, unified software security platform, it embeds security into every stage of the CI/CD pipeline and minimises software exposure.

Both will play a significant role in this area as the average development timeline continues to shrink. As the range of attacks evolves and diversifies, these tools can be the difference that helps a company spot a risk or threat.

“The vendor session will help people understand what automated security testing does, the latest trends from it, and how to wrap it into their existing DevOps process.”

Meet the vendors presenting at Application Security

Veracode

Software is crucial in our digital world, with organisations now requiring the ability to confidently and efficiently create secure software that moves their business forward. Headquartered in the USA with offices across the world, Veracode help companies efficiently deliver secure code from the start of development, through providing application security automation, integration and collaboration. By embedding into an existing software development workflow, Veracode ensures that security assessments and vulnerability remediations are completed during logical points throughout the development cycle. A seven-time leader in the Gartner Magic Quadrant, Veracode has successfully fixed approximately 76 per cent of severe application security flaws faced by its customers.

Checkmarx

While software security has never been more business critical, if it gets in the way of DevOps it just will not work, therefore security must be inseparable from software development.

Checkmarx makes software security essential infrastructure, setting a new standard that is powerful enough to address today’s and tomorrow’s cyber risks. Delivering a comprehensive, unified software security platform that tightly integrates SAST, SCA, IAST and AppSec Awareness to embed security into every stage of the CI/CD pipeline and minimise software exposure.

Headquartered in Israel, over 1,400 organisations around the globe trust Checkmarx to accelerate secure software delivery, including more than 40 per cent of the Fortune 100 and large government agencies.

OT security: defending the line linking devices and IT systems

Business Stream 7:

OT Security

If you want to highlight the importance of Operational Technology (OT) security, you only need to look back to June this year.

At the time, car manufacturer Honda was hit by a major cyberattack that impacted its operations around the world.

The victim of a ransomware attack from the EKANS/SNAKE family, it forced Honda to temporarily shut down some of its production facilities as well as close its customer and financial service operations.

No personally identifiable information was lost, but the disruption alone will have been a major setback.

It’s a warning sign to any company with industrial operations, specifically those using OT. The use of hardware and software to monitor and control physical processes, devices and infrastructure, OT machines are found in industries like pharmaceuticals and utilities.

Recent years has seen these machines connected up to sensors and ERP systems to improve output and tracking. This can lead to a better overview of processes, but with no perimeter becoming the norm, security is a crucial component and something the Cyber Expo Ireland panel will discuss in November.

The lead facilitator for the panel discussion, journalist and commentator Paul Hearns, mentions how their effective migration from industrial systems to data systems has led to a disconnect in how they’re treated.

“Inevitably they’re connected to the likes of software packages and right into core systems like ERP,” he said. “Essentially what it means is you’re connecting a set of sensors, processors, and controllers that were never really designed to be exposed to IP-type networks. There is still a hangover from those days [of OT machines not being connected].”

These machines are crucial to utility services like water and electricity, and an attack can have devastating consequences not just for an entity but those relying on it.

Hearns mentioned one example where a German steel mill was the victim of a cyberattack in 2014. It suffered massive damage when attackers gained access to its control systems with the end result being parts of the plant failing and the inability to shut down a blast furnace as normal.

Also considering attacks like 2017’s Petya on major infrastructure like the radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant, and this year’s EKANS attack has shown that they can have significant real-world ramifications.

These issues only increase when you consider that one of the big OT trends is the convergence between it and Industrial Internet of Things (IIoT), according to Hearns. Since it took a long time for IoT devices to have security baked into them, OT suffers a worse problem.

“Essentially there are a couple of things that are at play here,” he said. “First of all, there’s the legacy of not thinking of the types of security that are necessary for these networked devices.”

“Secondly there’s the convergence with IoT with the pure industrial side of things and finally the fact that these industrial control systems and SCADA systems and those type of systems are generally attached to very high-value industries.”

As they’re connected to high-value industries, attackers will see this as an opportunity to attack with ransomware in order to get a big payday.

That said, there are ways to protect from this situation with OT security systems developing to withstand this.

There are measures like network segmentation which prevents an attacker from accessing all areas of a network if they infiltrate one part and companies should always have protections in place for when a situation does occur.

There are also other technologies from vendors who are taking part in the panel discussion.

You have Claroty which brings together IT and OT and improves the availability, safety, and reliability of OT environments for enterprises and critical infrastructure operators. Alongside it is Acalvio, which provides Advanced Threat Defence solutions to detect engage and respond to malicious activity within enterprise IT, IoT and ICS environments.

Finally, there’s Marketscape, which provides near real-time monitoring of cyberattacks across the Dark Web, the Deep Web, and other digital channels so organisations can take a proactive approach to security.

All three vendors are now playing major roles in OT security and Renaissance director Michael Conway mentions how much of that comes back to the basics of understanding what it is you have.

“Each device and piece of equipment is potentially a hole so until you understand where those holes are, it’s very difficult to protect them,” said Conway. “One of the first challenges is the inventory and if you can identify the holes and threats, then you can start monitoring and managing.”

For smaller companies or those who might not be aware of what OT is, chances are it doesn’t involve them too much, but Conway mentions that it’s an area that will see a lot of attention placed on it over the next 24 to 36 months.

For most companies, they could see OT security applied in the building they’re occupying through building management systems (BMS).

An overarching control system that monitors and controls a building’s mechanical and electrical equipment like lighting, plumbing and

heating, Conway mentions that such facilities will eventually become similar to computers in how they’re managed.

As a result, the overlap between IT and OT experts has increased to the point where they’re almost the same. Alongside reporting and analysis, you have the management of risks and threats that an organisation faces.

In these cases, it’s more important than ever for both sides to work together as its in their interest. Sometimes this viewpoint may not be shared between both teams, but Conway mentions that “the best projects we’ve seen is when the IT and OT people work together”.

Meet the vendors presenting at OT Security

Acalvio

Acalvio is a Silicon Valley-based company led by an experienced team with a track record of innovation and market leadership. With a mission to detect, engage and respond to advanced multi-stage cyber attackers with precision and speed, Acalvio owns patented innovations in Cloud, Artificial Intelligence and Software Defined Networking (SDN). These have allowed Acalvio to deliver the award-winning Autonomous Deception platform, ShadowPlex, designed for Enterprise IT, IoT and ICS environments. ShadowPlex represents an architectural leap over earlier generation deception solutions in its detection efficacy and deployment efficiency. The solution provides comprehensive API support, allowing deception campaigns to be orchestrated from other environments.

Claroty

Claroty solutions improve the security of Operational Technology (OT) networks through improving the availability, safety and reliability of OT environments for enterprises and critical infrastructure operators. Headquartered in New York, Claroty reduces the overall complexity of OT security and decreases total cost of ownership, ensuring more uptime and greater efficiency across production operations. Continuous Threat Detection (CTD), the foundation of the platform, utilises five detection engines to profile assets in your OT network, generate a behavioural baseline that characterises legitimate traffic versus false positives, and all with alerts in real-time. Further, its Secure Remote Access (SRA) provides a single, secure, and clientless interface through which all legitimate remote users connect prior to performing activities within OT networks.

MarketScape

The most sophisticated cyber criminals hide in the darkest corners of the internet. Headquartered in Copenhagen, MarketScape delivers an innovative cyberthreat intelligence service that anonymously scours the dark web, social media and other digital channels. The result of this is fresh, automated, and actionable threat intelligence delivered to organisations, protecting critical data from the outside in. Scalable cloud-based or on-prem technology works exclusively with close strategic partner Munit.io to deliver results for governments and law enforcement. Their products include MarketScape Secure Cloud, MarketScape Enterprise, Darkweb and Marketscape API.

Related Stories

‘We have been involved in helping clinicians find new ways of delivering care during the pandemic’ says Eamonn Costello, CEO, patientMpower

Post Reporter | 9 hours ago

‘Being in healthcare from now on will mean delivering your care through technology platforms’ says Jim Joyce, CEO and Co-Founder HealthBeacon

Post Reporter | 1 day ago

‘Innovative solutions in healthcare are required now more than ever before’ says Sonia Neary, Co-Founder and Managing Director at Wellola

Post Reporter | 2 days ago