Enterprise Application Security Best Practices 2020
Are you sure that your application security is bulletproof?
It could be a sunny beach, a snowy mountain slope, or a misty forest. Every one of us has this perfect place where we spend our vacations – where we feel at peace. Until…
A telephone rings.
It is from work. There was a security breach and one of your important enterprise applications is no longer working. Your customers cannot use it. Everything is crumbling down. What happened? You quickly pack and go straight to your hotel room. You’ll spend the rest of the vacation there.
This is something that I lived through in my previous workplace. We never thought too serious about security. And we suffered because of our misjudgment – the truth is that no matter how big or small a business is, it can be targeted, and its vulnerabilities can be exploited. Especially if you think that there is nothing worth stealing or protecting.
The big companies have bigger cyber security budgets, but if they are not properly planned and executed, it is easy for an issue to slip through the cyber security checks.
There is a quote from Stephane Nappo, Global Chief Information Security Officer at OVHcloud, that perfectly describes the importance of enterprise application security:
“It takes 20 years to build a reputation and a few minutes of a cyber incident to ruin it”.
Consequences of an application security breach
- Significant financial losses.
- Theft of sensitive data.
- A negative perception of the brand.
- Distrust on the part of customers.
Sounds awful! Let’s make sure that it will never happen to your enterprise application.
To do that, in this blog post I will go through all the best practices that you must follow to have a secure enterprise application. Thus, keeping and strengthening the trust of your clients and having a pleasant and peaceful vacation.
We at ScaleFocus understand how important this is. That is why we perfected our security portfolio. The success stories of our clients put us among the leaders in the Top Cyber security Matrix of Clutch because we know how to secure our client’s applications, systems, and infrastructures.
Before you leave for your well-deserved holiday, check all the important steps to secure your enterprise application:
#1: Understand your Assets and Perform a Risk Assessment
#2: Beware of False Alarms
#3: Implement Continuous Integration: Scanning for Threats.
#4: Conduct Regular Security and Threat Assessments
#5: Invest in Ongoing Cyber Security Trainings
#6: Encrypt your Application
#7: Perform Application Penetration Testing
#8: Automate your Issue Management Process
#9: Perform Mobile Security Testing
Know the most common application security threats
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Sun Tzu | The Art of War
“Know your enemy” is an important rule when you want to ensure that your enterprise application is secured. It is the first step. We already have a comprehensive blog post on all the major application security threats.
Make sure you go through it to be fully informed. It is always a little scary to meet your demons but let me reassure you – it is time to learn how to handle them and to keep your enterprise application secured.
#1: Understand your Assets and Perform a Risk Assessment
In your company, you have a lot of applications and systems. Do you use them all? For example, a plug-in that was very popular at the beginning of your business, but today nobody uses it. Just think about it. There are so many applications and services that some of them can go under the radar.
Or even worse – under the radar of your cyber security team. Hackers are always on the look for unpatched gaps like this because of their weaker security. This can be a dangerous little crack in your otherwise secured system.
That is why you must understand, track and know your full set of assets. If there is something that you no longer use, close it! Severe its ties to the rest of the system.
This is a process that has to be automated because manual work is not that fast and thorough. The best solution is to create an automated process that can handle this.
Also, you must periodically perform risk assessments of all your assets to be aware of their state.
#2: Beware of False Alarms
It may be a shock, but sometimes “better safe than sorry” is not the most optimal decision. Especially in the context of enterprise application security. Let me explain.
If your security system is constantly sending you alarms for problems, but most of them are false, this will cost you a lot. False alarms divert the time of your security team and your resources from the real problems in your application security.
When there is a security alarm, usually your security experts conduct the investigation. They have to reproduce the reported vulnerability to concur or dismiss the problem. If the signal is false, the team has invested a lot of time and effort trying to fix something that is not there. But can they leave signals unchecked? No, it is too risky.
Because just like in real life, if an alarm in a house is triggered, the security team must check it. It could be a cat, or it could be a burglar. In both ways, the team will invest nearly the same efforts and resources, but the results will be completely different.
The other problem is that if your security team is detecting a lot of false alarms, they could miss the real one. I will give you an example. Your team detects 50 vulnerabilities but the 35 are false. There is a big chance that they will mark all of them as false.
According to a report by Kaspersky, for the first six months of 2019, just 515 alerts from more than 40,000 were traced back to an attack. For comparison, three years ago, “The State of Malware Detection and Prevention” by Cyphort showed that less than 20 percent of the 17,000 malware alerts that organizations receive weekly were seen as reliable. These cost organizations 1.3 million USD or 21,000 hours of investigation time.
Maybe you are already wondering what to do – you don’t want to waste time and resources chasing wild goose, but at the same time – you cannot risk the security of your enterprise application. If you are a big enterprise with a dedicated response and detection security team and big-budget, maybe for you is a no-brainer – check everything and make sure that is secured.
But for the rest? The solution is MDR or Managed Detection and Response Service.
With MDR you prevent breaches through earlier detection and more effective response. Our experienced security team prevents breaches through earlier detection via a 24/7 threat intelligence center. In this way, we are sure that all the signals and threats are handled, and application security is fully intact.
#3: Implement Continuous Integration: Scanning for Threats
If the enterprise application is not regularly scanned, it is more vulnerable to attacks. Shocking, I know!
If you have a small number of applications, the process of threat scanning can be easily tracked and executed. In a large enterprise, this process is very time-consuming and takes a lot of resources. Also, it is not a very good idea to test your application security once it is out of production or if it is already updated. The best-case scenario is to have an automated vulnerability scanning and reporting process.
The solution is a process of CI/CD (continuous integration and continuous delivery). It is a smart way to automate different parts of your process, for example, an updated delivery to your software.
This process can ensure your application security as well. We have already done it for one major European company for building tailor-made software solutions.
Our task was to automate the process for vulnerability scanning and reporting for one application. An interesting task for our security experts. First, they build the custom vulnerability scanning tool. Then, they integrated it with the already functioning CI/CD process for front end tests.
Now, when there is a new code or an update, the system performs an automatic vulnerability check.
#4: Conduct Regular Security and Threat Assessments
This time, I will start with the example first. It is the easiest way to depict why you have to conduct regular security assessments of your enterprise applications or systems.
One of the leading global airline companies had a new application. Naturally, it had to be secured and GDPR-compliant. Also, it had to go through an extensive vulnerability assessment because it would store sensible customer’s data.
ScaleFocus’ security team made the security assessment and found over 22 security gaps. Eight of them were critical.
After the assessment, the development team fixed all the gaps, and we made a second evaluation. This time the application security was spotless.
I am not giving this example because it is an exception. No, this is a common thing. If you want your enterprise application to be secure, you must make the regular security and threat assessments part of your policy. When done right, your team will identify vulnerabilities in your application security in advance, thus helping you optimize your security budget.
#5: Invest in Ongoing Cyber Security Training
Testing, looking for gaps, and fixing them is only part of the way to a more secure enterprise application. You have to think about the human factor as well.
That is why one of the most important but often neglected practice is the internal cyber security training of your employees, especially for the executives of the company. They are critical for your enterprise application security as they are likely targets for hacker’s attacks.
A survey by SyncSort among 319 professionals found that email security and employee training were listed as the top problems faced by IT security professionals. Yet, a survey by Wombat Security Technologies showed that more than 30% of the interviewed employees didn’t know what phishing or malware is.
The dangerous thing here is that you may have done everything else on this list, but your application’s security can be easily put on the line if your employees are not well-trained. And at one point, despite your greatest endeavors, someone could just plug-in a corporate PC a USB flash drive found on the street. And that is it – your company’s security is breached.
To prevent this, you must invest in cyber security training. Your employees must understand how to spot the different cyber security threats, including spam, phishing, malware, and ransomware. Also, never forget to explain the importance of the password, guidelines on how to use an email, internet, and even social media.
Source: Wombat Security Technologies
The internal cyber security training is a continuous process, but it is a rewarding one. We saw this with one of our clients. An ex-employee left a lot of backdoors in the enterprise application security and in the entire system infrastructure. The employees of the company didn’t know how to address the problems they were experiencing.
Our cyber security experts were hired to find out what is causing all the problems in the enterprise application. After we secured the application, our team conducted an internal training on how to better manage security and not to provide sensitive info to anyone, outside of the company.
We tailor the training program to your specific business needs.
#6: Encrypt Your Enterprise Application
Encryption is a practice, that is becoming more popular as more businesses move to the cloud. In a nutshell, encryption is a system that protects data in a way that can only be read by its intended recipient. It uses a set of instructions (cipher) that make the information impossible to read without the cryptographic key.
Planning the encryption of your applications must be part of your security long-term strategy. It is completely understandable if you still have doubts if and how to execute it. The encryption of an enterprise application is still a process that many companies find hard to decide on. The main reason is that there could be a trade-off – do they want their enterprise applications to be secured, or do they want to have easy access to their data.
The thing is that you can start by encrypting only some, if not even one of your enterprise applications. There is no universal approach – it all depends on your business needs. Our cyber security team will help you recognize if your (and exactly which ones) enterprise applications have to be encrypted and it will help you to do it.
Of course, I have prepared a real-world case. A company in the field of software development needed a secure server to store and manage its secrets. Our team implemented the server and it configured it to provide homomorphically encrypted keys only to employees with the rights to access them.
One important thing about enterprise application security – don’t make the mistake that others do – never store the encryption keys in the same location as the data itself. Encryption keys must be kept in an offsite location in case of disaster.
#7: Perform Application Security Penetration Testing
The penetration testing of your enterprise application security is a key component in keeping your company secure.
Whereas threat assessment is not an aggressive way to test the security posture of your enterprise applications, the penetration test is a more invasive method of finding gaps that can be exploited. That is exactly why the people, who performed it, are called white hackers. They try everything in their power and within their knowledge to smash through your application security. They use different tools, like OWASP Zed Attack Proxy (ZAP), Wireshark, Kali Linux, but the professional penetration test also includes custom-made tools for the specific application and a lot of manual work.
Because this is an invasive type of testing, it can lead to system downtimes. However, through this method, the security team captures all of the security vulnerabilities and gaps of the enterprise applications and list them per their level of danger (high, medium, low).
This is exactly the way our security team conducted penetration testing for one of the big international financial organizations with close to 200 hundred member-states. After the test, the client was able to comply with multiple IT regulations, laws, and standards, enhanced its cyber-defense capabilities and increased operational efficiency and ability to meet corporate security objectives.
When you decide to go through a penetration testing, you must choose a trusted and experienced partner. It may sound redundant, but white hacking is still hacking, so you must be careful.
Check our portfolio of penetration testing services and let us assure you of our experience and skills.
#8: Automate your Issues Management Process
This is an interesting practice that speeds up the process of solving issues and reducing the risk of missing a problem. I must admit that this is not among the most popular practices, but if you can integrate it into your enterprise processes, it would be helpful.
The idea is to integrate the whole process of vulnerability scanning and reporting with an issue tracking system. In the best-case scenario, the vulnerability scanning tool will be able to read and create issues automatically.
#9: Perform Mobile Security Testing
I will make a wide guess that almost everyone in your company has a smartphone. These small devices are an integral part of our life and our work process. They must be protected as well. Never forget about these devices because they usually handle a hefty part of our communications – calls, chats, emails, etc.
The mobile operating systems (Android and iOS) are more secure than desktop operating systems, but this doesn’t mean that they cannot be penetrated and used as a door to your enterprise applications.
The popularity of the smartphone. Source: Wombat Security Technologies
Per the Mobile Security Testing Guide of OWASP, mobile apps differ in that there is a smaller attack surface, and therefore more security against injection and similar attacks. Instead, you must prioritize data protection on the device and the network to increase mobile security, including communication with endpoints.
Our security team will handle mobile security testing in your company. All it takes is to contact us with a request for service.
The full protection of your enterprise applications is a comprehensive process with a lot of steps that you must think of. And every step is an important one because building a secure environment is like building a wall – if there is a missing piece it could crumble under the smallest shake.
Defend your enterprise application by contacting our cyber security team now.
Author (with the kind support of ScaleFocus’ top security experts):
Viktor Dzhambov | Senior Marketing Copywriter