The massive shift to remote work caused by the COVID-19 pandemic has heightened the need for resilient application security practices in many organizations.

In addition to dealing with the volume and frequency of application releases these days, application security teams must now deal with the challenges associated with working remotely and checking in code from across the globe.

With applications being released into production on a weekly, daily, and even hourly basis, “seconds” in DevSecOps have truly never been more relevant or important. It’s time to ensure your application security approach is cyber-resilient. Here are five areas to focus on.

1. Automation

Automation is critical to cyber resilience. You need to leverage tools to make your application security solution as touchless and process-driven as possible. Ideally, anything that can be automated should be automated, and a resilient system will allow for this. In fact, a resilient system will not only allow it, but also drive automation.

Imagine a future environment where if you suddenly need to scan 1,000 applications, you can automatically increase the number of scanners needed to handle that capacity. If capacity changes and you no longer need as many scanners, your system is smart enough to account for that and lower the number automatically.

In a truly resilient system, automation will allow developers to write and commit code, and scans will happen. You shouldn't do anything. The system automatically deletes content that you cannot fix, content that is not important in your environment, or your KPIs and things of that nature. It's almost like pressing the gas pedal in your car. There's a lot to do, but you don't need to know anything about the engine other than what it does. This is quite powerful.

Ultimately, the goal should be to have code that self-heals like a spell checker. We're not there yet, but one day there will be enough intelligence for you to trust the system to fix problems on its own.

2. Have actionable results

Your application security program should focus on driving actionability of test results. It should be centered around what you need to focus on today. Historically, application security solutions have tended to give you a list of problems to solve when all you really need is a list of problems that are relevant to your organization and you.

A resilient system will focus on the 10 things you need to fix today, rather than the 1,000 things you may need to fix over time. It uses intelligence to identify issues that could impact or prevent you from going into production.

Operability is part of automation. This means developers can write some code and behind the scenes the code is evaluated and what is relevant and needs to be fixed is shown as quickly as possible. It's like going from a horse and carriage to a Tesla.

3.Support more frequent scanning

Your ability to safely release code into production and the speed of telemetry depends largely on how frequently you are able to scan your application. You need resiliency in application security because you have more applications and you're scanning them more frequently. This puts a lot of pressure on application security teams, developers, and CISOs.

The elastic system supports scalable scan capacity from 1 scan to 1+n scans. While scalability is related to the number of scanners and the number of applications you have, frequency in a resilient system is related to how often you scan those applications.

For example, if you use GitHub and you scan or commit 20 times a day, you need to have a system that is resilient enough to handle that frequency. It's about having a burst feature that opens more scans when a threshold is reached without having to call someone or go find another product. For example, you just start another container in Docker and you're done.

4. Wide coverage

Modern Web applications are very Web services driven, and the more Web services and APIs you have, the greater the risk to your application. Resilience is about having an application security solution that not only solves what you are doing now, but also has the flexibility and scalability to handle future challenges.

Your solution needs to be cloud agnostic and have the flexibility to cover on-premises and SaaS environments. It should be able to quickly support new languages ​​and frameworks. Breadth of coverage means supporting every language your business needs to scan now and in the future. Most enterprises don't just have .NET or Java, they have dozens of languages.

If you start with a .NET shop and you have static analysis capabilities for .NET, do you have the ability to support Java if a new team joins or another company is acquired? Or do you need to go out and buy a whole new set? A resilient application security system will be able to scan these new applications, and you can simply decide which model you want to leverage, from SaaS or on-premises to hybrid.

5. Make sure it’s scalable

In a resilient system, you can gain more scanning capabilities without adding infrastructure. Your system will be cloud-agnostic, with the ability to spin up scan servers on demand and shut them down just as easily when you don't need them. In just a few minutes, you can go from needing extra capacity to scan more apps to just having extra capacity open.

Licensing flexibility is critical to scalability. It needs to be flexible enough so that you don't have to buy another license every time you need additional capacity for static or dynamic testing. Your license should allow you to move back and forth based on your needs and scanning capacity.

Why cyber resilience is key

Web application vulnerabilities are a top target for cybercriminals, according to the latest version of Verizon's annual Data Breach Investigations Report. About 40% of data breaches investigated by Verizon in 2019 actually involved application vulnerabilities.

It’s clear: a strong application security program is critical to enterprise cyber resiliency. Follow the guidance above to vary your approach.

keep learning

• The future is security as code. Learn how DevSecOps can help you achieve your goals with TechBeacon's guide. Also: See the SANS DevSecOps survey report for key insights for practitioners.
• Use TechBeacon's guide to quickly understand the status of your application security testing. Plus: Get Gartner's 2021 Magic Quadrant for AST.
• Learn about the world of application security tools with TechBeacon's 2021 Guide to Application Security Tools.
• Download the free Forrester Wave static application security test. Plus: Learn how the SAST-DAST combination can improve your security in this webinar.
• Learn five reasons why API security requires access management.
• Learn how to shape your application security strategy for the next decade and spend a day in the life of an application security developer.
• Build the foundation of modern application security with TechBeacon's guide.