Cloud Hosting

As the world increasingly moves to a digital format, cybersecurity is becoming more important than ever. Its especially significant since, according to a recent survey by Sophos, 51% of businesses in America experienced a ransomware attack in 2020. Thats a staggering number of security vulnerabilities that truly shouldnt exist in the modern day and age.Yet, its relatively understandable.

The push for apps hitting the market quickly has become a driving factor in a lot of development teams, and sometimes, that means that cybersecurity takes a back seat. In fact, this is why a lot of companies have begun adopting the DevOps model with the hope that they can not only overcome security and compliance challenges but also release a product within a tight deadline.

Fundamentally, the issue of application security is multi-faceted, with a variety of techniques, philosophies, and certifications that can be applied to make all applications safer.

For example, take the recent update to MITREs Common Weakness Enumeration (CWE), which itself was built on the incredibly popular ATT&CK Framework. Sponsored by the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the whole purpose is to categorize security weaknesses and vulnerabilities with the hope of understanding the specific flaws of each category and how to mitigate them. In fact, CWE has over 600 categories, with everything from buffer overflow to cross-site scripting and even race conditions.

This update couldnt have come sooner, too, especially since some experts predict that cyberattacks will escalate given the massive increase in both remote work and the Internet of Things (IoT). This is exactly why cybersecurity understanding is not optional for these companies, as hacking tools are becoming more commonplace. Its important that any tool that connects to the web has some form of cyber resilience.

In fact, its this distinction between cyber resilience and cybersecurity that companies often get wrong. Its not a choice between one or the other, and its not enough to simply throw as many coding standards as possible at the problem. Instead, companies and developers must develop applications with cyber resilience in mind such as using Continuous Integration / Continuous Delivery (CI/CD) pipelines to code with fewer vulnerabilities or using more reliable web hosting.

As you can imagine, a lot of the modern world is hosted in the cloud, and therefore, cloud security plays a big part in ensuring that data stays safe. In fact, cloud-hosted application security has become a problem, especially since there often isnt a cloud-specific DevSecOps person on hand to make sure that the application is safe from potential outside vulnerabilities.

Thankfully, there are security protocols ,such as the security compliance principles of the National Cyber Security Center (NCSC), which set out easy-to-follow rules on how to approach security for the cloud. Actions such as protection of data in transit, authentication, customer separation, and ensuring the customer is using the service securely are all basic concepts that can significantly increase cybersecurity and resilience.

Security responsibility also includes website security standards. There are several ways to protect and secure website infrastructure such as edge protection and using a secure web gateway.

What tends to interfere with better cybersecurity for websites are things like performance optimization, which may make a website more responsive. When done in the absence of a security mindset, this can be an approach that can lead to a lot of problems.

A major contributing factor to the lack of web security is the absence of overall availability and experience of developers in this field. In fact, according to a recent survey, nearly 60% of developers have less than five years of experience, which can sometimes make it difficult for companies to keep up with not only the most modern techniques but also some of the more skilled malicious actors out there.

Clear and simple standards are important when it applies to things like overly complicated code. Sometimes, in the drive to make sure that code is secure, developers might forget to also take into account the best practices of application development, especially considering the immense time pressures they are under.

This is where the Open Web Application Security Project (OWASP) becomes a valuable guide. OWASP is a set of strict guidelines and criteria for application security. The OWASP checklist helps developers more easily integrate the recommended security standards while also helping to avoid coding flaws that can compromise security.

While OWASP is quite large in terms of how it goes about ensuring standards, heres a quick review at the different methods it uses:

Given that there is often a disconnect between the most recent technologies and current skill levels, it can be important to get back to the basics when it comes to programming and cybersecurity.

Keeping up to date with encryption standards is an important task that a lot of SecOps professionals might overlook or feel too busy to do. Similarly, keeping code simple is often something that more experienced developers tend to forget, and this can cause issues down the line for everybody involved.

Cybersecurity is a multi-faceted problem that is only getting worse as digital services continue to take over the world. That being said, its not necessarily the end of the world, and good cybersecurity is definitely achievable, especially with the easy availability of standards such as those offered through OWASP.

Its also important to consider the specific skill set of security developers. Make sure to not only maintain their security credentials but to also help them to grow professionally. The aim is always to be innovative rather than reactionary when it comes to security.

About the Author: Gary Stevens is an IT specialist who is a part-time Ethereum dev working on open source projects for both QTUM and Loopring. Hes also a part-time blogger at Privacy Australia, where he discusses online safety and privacy.

Editors Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

View original post here:
Cybersecurity and OWASP in an Increasingly Digital World - tripwire.com