Enhancing Application Security Processes
Organizations are performing a balancing act pushing forward as quickly as possible with digital transformation strategies while at the same time seeking ways to optimize application security.
Radware’s 2019 Web Application Security survey results revealed that no single best practice emerged as a way to guide enterprises in this effort. The process is still a journey of discovery.
The survey also revealed that organizations were, for the most part, following standard accepted security practices to implement security solutions. But in many ways, the non-technical part of digital transformation was the most difficult.
Senior management needs to step back and consider larger organizational changes and process controls. Furthermore, decision-making responsibilities need to fully integrate effective application security into how their companies operate.
Microservices and Serverless Architectures
For organizations that develop applications, microservice architectures have grown in popularity in the past few years. This approach disperses loosely coupled services into distributed modules. That way, development teams working on one element of an application cannot break the entire application with their changes. Applications can be developed and updated more quickly in ways that work across multiple platforms.
In serverless or function-as-a-service (FaaS) architectures, applications are hosted by third parties. Developers do not need to manage server software or hardware. The process of scaling applications is simpler, and organizations only pay for the computing resources used because functions are called on instead of requiring always-on availability.
While development and operations (DevOps) automation tools are still the most prevalent, microservices gained traction over use of containers and serverless/FaaS.
Perceptions of These New Concepts
The benefits for those firms that have completed migrations were observable by respondents. Sixty-eight percent identified an increase in security effectiveness, and 61% recorded an increase in operational efficiency. Increases in operational costs were also realized by 52% of respondents.
In comparison to traditional server-based architectures, 57% of respondents said that the move to microservice/containerized architectures has increased their application risk profile.
APIs are central to enabling continuous integration of applications. As part of security protocols, 85% of respondents said that they required authentication or used a single sign-on (SSO) solution to interact with third-party APIs. Eighty-eight percent of survey participants used encryption when exposing data to third-party APIs, while 91% analyzed API vulnerabilities prior to integration. These high percentages demonstrate that businesses understand that APIs are a blind spot.
Gartner predicts that, by 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the user interface (UI), up from 40% in 2019.
When asked about progress with continuous integration/continuous deployment (CI/CD), which is a critical step toward achieving digital transformation, 9% said that they have not yet begun, and 10% said that they are almost there but are stalled by security concerns. While 44% achieved CI, only a modest 37% said that they have achieved both CI and CD — but only for some of their applications.
More than half of survey respondents said that security was fully integrated with their CD pipeline, which indicates a maturation of the application delivery process in many organizations. The vast majority also said that security was integrated within the continuous delivery of web applications, APIs and mobile applications.