There is a common push-pull of innovation and security that traditionally occurs between application developers and security teams. Applications teams are responsible for fast building and quick deployment of a functional, non-bug-ridden app stack. Meanwhile, security teams are tasked with ensuring the organization’s information and systems are secure – and that includes applications.
Securing the apps in a timely manner is extremely important for the organization. Sometimes, if apps are left unchecked, developers will hardcode credentials or keys into their apps as a quick and easy way to bypass, and in their minds satisfy, this requirement.
Hardcoding credentials exposes organizations to massive risks.
- Hardcoded application credentials are high-value targets for bad actors. Internal applications commonly require access to sensitive information on legacy systems that don’t support newer, more secure authentication technologies. This access is often granted by a set of credentials or keys, sometimes referred to as secrets, which are occasionally over-privileged to begin with. If bad actors get their hands on those secrets, they could ex-filtrate your organization’s most sensitive data.
- Chances are your organization is a target-rich environment for hackers. The scale in which organizations use privileged application accounts is enormous.
- For example, healthcare organizations deal with patient and medical information on a massive scale. There are countless internal applications (homegrown code, scheduled tasks, services, etc.) that need to process privileged or confidential information. If a bad actor manages to obtain a secret that gives them access to this sensitive data, a major security breach results in both the potential exposure of HIPPA information and major financial implications. The 2015 breach of health insurer Anthem caused a record-setting $115-million dollar lawsuit settlement, with even greater potential losses for the firm due to loss of brand equity.
How an organization can enable secure app development
Simply stated, you need to turn security into code – and make it part of the development lifecycle enabling your app teams. Your app teams need to start off their coding with security in mind.
- Determine what privileged information the app needs access to.
- Determine how you will secure access to that privileged information.
- Build the code around that access and those security requirements. Making security part of the development lifecycle means that your app is secure from release one, and validated as secure in every subsequent release.
- Enable your developers by providing them the tools they need to do the job right. If you just tell them to do the first three steps without supporting the process, your developers will most likely default to doing things the fastest way and that often means finding ways to circumvent security.
- Keep in mind that enabling your developers comes from a combination of tools and streamlined processes. Traditional account management tools like CyberArk’s Application Identity Manager, or DevOps tools like Conjur provide developers a secure method to authenticate their applications to those other systems. It’s not enough to just have these tools – your organization needs to make the implementation and use of theses tool simple for your app teams.
How to answer questions from your app teams
Chances are if you’re reading this, you are already imagining your app developers asking a series of questions including:
- How does one register an app?
- How do I write my code to use this tool?
- Where does my secret go?
- What’s my evergreen process?
CyberSheath develops simple, streamlined processes around these key questions to smooth the experience of securing applications. CyberSheath’s privileged access management engineers have real-world enterprise-level experience designing and implementing secure application controls, and creating the processes to enable your app teams. Whether your developers are programming in Java on Windows on-prem or loading up an application into a Docker container in the cloud, CyberSheath can work with you to help secure your apps and reduce your organization’s residual risk. Contact us to learn more.
Stay tuned for part 2 of How to Enable Applications Teams to Secure Code where we will discuss features and benefits of tools you can use to secure your applications.