A CISO’s guide to Application Security best practices 

When most people think about the most important ingredients of software, Application Security (AppSec) is unlikely to be at the top of the list… but it should be. Without AppSec, you face severe risks of data breaches, massive fines, enraged users, and severe financial losses. For example, in 2021, Ireland’s Data Protection Commission (DPC) fined Meta $18.7 million for a series of data breaches – a staggering fine that’s becoming more commonplace, given how new laws, like the EU Cyber Resilience Act, are sweeping across the globe.

Of course, many people hear “AppSec” and think “patching vulnerabilities”, but AppSec is about so much more: it’s about embedding security thinking into every stage of your application’s lifecycle, from initial design to ongoing operations. In this blog, we’ll cover essential best practices that will help you build secure applications from the ground up, uncover potential risks, refine your cybersecurity fundamentals, manage your software supply chain, and implement rigorous testing and monitoring. 

Security starts weeks before a single line of code is written 

People often choose software for simple reasons: it’s what they know, it works, or it’s free to use. However, as you’re picking the perfect stack, you should think beyond cost and licences to other factors, like interoperability, lifecycles, release cadences, and architectural complexity (is it hard to backport fixes, or migrate between versions, or even to other software?). Essentially, you should also be thinking “how do the choices I make right now affect my risk profile in five years’ time?”

For example, Ubuntu is an extremely popular choice of platform for developers, not just because it’s open source, but because it’s designed to provide a stable, supported, and reliable long-term foundation on which to build and scale your software. You should treat your security design philosophy in the same way: pick something you can depend on as a ladder to future success.

One way of setting yourself up for long-term success is adopting a Secure Software Development Lifecycle (SSDLC). At its core, SSDLC means that you actively integrate security measures into every phase of the software development process, from your early brain storming and design work, right through to your launch and support services. 

Broadly speaking, this is what that could include:

• Identify all your project requirements and specifications before you start
• Assess your threat landscape, and model the most likely threats
• Adopt industry standards and guidelines, like the NIST CSF
• Implement rigorous testing and monitoring
• Patch vulnerabilities promptly across your app lifecycle

Here are my 9 AppSec best practices to help you secure everything you use.

1) Assess the risks and exposures most likely to affect you

Good AppSec goes hand in hand with vulnerability management. To that end, you should conduct an extensive review of your chosen architecture: assess the most severe and most likely threats, and triage them according to your risk profile. 

This process will help you to triage and address the threats most likely to affect you, while opening up a clearer roadmap to improve your overall application security posture.

AppSec is holistic; you also want to closely examine cybersecurity risks that lie beyond the traditional landscape of software, hardware, and networks. This could be anything from how you hire and vet employees, to how you manage access to the building, to how your internal communications happen, both inside and outside of the workplace.

To learn about how to conduct a vulnerability assessment, check out this guide from our Security Engineering Manager Luci Stanescu.

2) Master your cybersecurity fundamentals

Great AppSec relies on the fundamentals in your application design and cybersecurity controls. The best steps to double down on your cybersecurity to create robust AppSec are:

• Implement a Zero Trust strategy wherever possible.
• Ensure everything operates from a Secure by Default design principle.
• Ensure that you’re using robust, authorization, and access control, such as MFA, strong password requirements, and secure session management. We use Auth0 OpenFGA (for permission management), Ory Hydra (as the OAuth server), and Ory Kratos (for authentication / user management) for our own authentication processes, which we have published as a charm that’s free to use. 
• Minimize your attack surface – if a port, component, package, etc., isn’t actively being used by your system, it should be disabled by default until it’s needed.
• Encrypt all sensitive data, at rest and in transfer, and avoid plaintext or cleartext data.
• Validate and sanitize all input and handle all exceptions.
• Minimize the access permissions of apps and systems, and design your baseline to stop server-side request forgery.
• Institute regular developer training and upskilling in security essentials, so that everyone building your apps and systems is aware of common vulnerabilities and can avoid them.
• Secure the APIs that you consume or expose. This should include steps that monitor API use and restrict resource sharing, traffic abuse, and excessive API requests.

There are many ways you can approach and deliver these security fundamentals, but whichever route you choose, your focus should be on building a multilayered defense against attacks across multiple attack vectors. If you’re looking for a guide to what that looks like, I highly recommend reading our latest white paper on building in-depth, multilayered security.

3) Secure and simplify your software supply chain 

Keeping your app or service secure is obviously the main goal of cybersecurity. However, the expanding open source landscape of software and packages means that it’s not just as simple as maintaining one program, but maintaining a great many packages, libraries, and sources, as part of a complex software supply chain.

There are several steps you can take to secure and simplify your supply chain. First, you should choose libraries with track records of regular maintenance and security updates. Depending on your  needs, be sure to look for compliance that aligns to your requirements (such as PCI-DSS, ISO 27001, or the newly adopted Cyber Resilience Act). Just remember that you should also internally verify your sources, authenticate the contents of the libraries you download, and limit code execution to only trusted code. If your chosen libraries must include dependencies, be sure that you’re scanning them for vulnerabilities and transitive or nested dependencies.

Of course, you really should be thinking about where you can avoid consuming packages: a minimal attack surface is vital, and the fewer unnecessary libraries and packages you use, the fewer attack vectors your final build will contain. Things like secure containers can help to strip down builds to their smallest, most securely designed footprint, and this approach can be further reinforced by gathering package updates and security fixes directly from your OS.

4) Test, test, and test again. And then test your tests.

It should go without saying, but rigorous testing of your applications and systems before go-live is not negotiable. New cybersecurity regulations (like the above-mentioned EU Cyber Resilience Act) have tightened the loopholes of the rush-an-MVP-to-market “move fast and break things” practices of yesteryear. 

You need to ensure that your software, systems, and products are operating as expected, even in unexpected circumstances and environments. At base level, you should be iteratively testing your code and outputs, but you should also be benchmarking and running performance and stress tests to ensure you’re going far beyond a simple ‘it works’. If not, you could be on the receiving end of a very expensive email from an enraged Data Protection Officer.

5) Trust, but verify – externally

This follows on from the point above, but it’s not enough to just test your apps yourself and think you’re covered. All organizations have blind spots, biases, or priorities that compete with rigorous testing, and the only way to know if they are secure (rather than assuming they are) is to get non-biased confirmation of that fact. 

That confirmation comes in the form of independent organizations who can security test your applications and systems. Security evaluations can take the form of penetration testing, validation tests, or compliance assessments, depending on your product and market needs. There are countless organizations who offer penetration testing, security testing, and more, so make sure to pick one that has been accredited to do this work properly – for example, CREST-approved organizations.

6) Adhere to cybersecurity regulatory requirements

It’s critical to understand and adhere to modern security standards. Identify which regulations apply to your organization – whether it’s PCI-DSS, the CRA, ISO 27001, NIST CSF, GDPR, HIPAA, SOC 2 – and implement security controls like data encryption, access controls, and secure authentication to meet these requirements. Estate management and monitoring tools like Landscape can be useful for automatically deploying compliant profiles and systems across your organization.

Visit our website for a comprehensive listing of major cybersecurity standards.

Regular compliance audits, both internal and external, help verify your adherence to these frameworks and best practices. It’s also important to maintain thorough documentation of security policies, risk assessments, and compliance reports. Of course, compliance isn’t just about systems, it’s about people: so you should ensure that all employees, from developers to stakeholders, are trained on what the regulations demand and how to comply with them. You could even appoint an Open Source Program Officer to guide your adoption of new open source tools in a way that’s compliant with regulatory requirements.

7) Enable long-term monitoring and logging

As a baseline, your apps should natively log any and all relevant security events, so that your end users can monitor their use of your apps, and further improve their own security practices. 

Additionally, you must have a robust security reporting workflow and incident response process for both internal and external reports. Anyone running an app needs to have a well-documented and well-tested mechanism for users and third parties to be able to report potential vulnerabilities, and for the organization to be able to respond and address them. Finally, your organization needs to have tested playbooks for incident response in the event that something does go wrong.

8) Don’t reinvent the wheel

Every organization needs a security team, but that doesn’t mean you have to build everything yourself from scratch. There are a great number of automated tools, dedicated platforms, specialized applications, and service providers who can roll out everything you need for a secure baseline – whether it’s hands-free patching, around-the-clock monitoring and event alerts, or automated DAST/SAST tools that allow you to test your products extensively. 

Take Ubuntu Pro as an example. It takes much of the manual busywork and admin out of ongoing vulnerability management, by supporting restartless and automated patching, and access to a library of over 36,000 trusted packages for the most common toolchains and applications. By using it, you take care of patching efforts for your OS and apps – no time-intensive, manual management needed.

9) Work with experts with a clear track record of security

The best part about AppSec is that it’s a well-established field with plenty of resources to pull from. OWASP, for instance, is a volunteer-driven initiative that provides a treasure trove of extremely valuable cybersecurity resources for everyone who needs them.

If you lack the expertise, time, or resources to implement the baselines on your own, the AppSec landscape is filled with time-tested cybersecurity frameworks and controls, coordinated vulnerability platforms, trustworthy third-party security providers, industry benchmarks, and reliable long term support. For 20 years, Canonical has built and maintained Ubuntu and a wide range of some of the most popular and trusted open source applications and services in the developer community. When you use Canonical’s products, you’re not just drawing on 20 years’ worth of software development, but 20 years of security lessons applied across our product suite.

In conclusion, effective AppSec is not a one-time fix but a continuous journey across every facet of your application’s lifecycle. By embracing a Secure Software Development Lifecycle (SSDLC) from the outset, diligently uncovering potential risks, and mastering your cybersecurity fundamentals, you lay a robust foundation for resilient applications. Securing your software supply chain, implementing rigorous and external testing, and adhering to evolving regulatory requirements are also paramount. Finally, using long-term monitoring and logging, and knowing when to collaborate with trusted experts, ensures your applications remain secure in the face of ever-changing threats.

More reading and free resources

Global IoT and cybersecurity regulation is growing. Get the critical overview of how to deal with it in our IoT compliance white paper.
Download our IoT compliance white paper

Vulnerability management doesn’t need to take huge teams and months of work. Get our simple and effective roadmap to vulnerability management in our detailed, NIST-CSF-aligned whitepaper. 
Download our guide to vulnerability management

References: 

https://www.csoonline.com/article/567531/the-biggest-data-breach-fines-penalties-and-settlements-so-far.html

https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/rep-ossra-2023.pdf