Continuing on our exciting and informative webinar series, last week Appknox hosted a webinar on 'Building Org-Wide Software Security Practices'.
Organized in association with Xoxoday, the leading technology platform helping businesses manage incentives, rewards, incentives and loyalty programs, I had an amazing discussion regarding various aspects of security when it comes to org-wide business initiatives and so much more with Mr Srivatsan Mohan (VP, Xoxoday).
Srivatsan has years of experience when it comes to the design and development of applications and an amazing knack for product management and strategy building.
So, let's take a glimpse at some of the major highlights of our discussion during the webinar.
Harshit: Hi Srivatsan, and welcome to the Appknox webinar. In your journey of working with numerous enterprises/clients, what were some of the major security concerns that your clients expected from you and how has been your experience in ensuring that security is never a roadblock when it comes to client satisfaction?
Srivatsan: Thanks, Harshit. I am really excited to be a part of this webinar. That is really a great question Harshit. In our growth journey from being a startup to becoming a formidable organization with prominent clients, we have realized that security is one of the key priorities when it comes to client expectations.
We have focussed on integrating some of the essential security features into our products right from the start like system hardening, encryption, RBAC (Role-Based Access Control) and also implemented controls to address OWASP Top 10 vulnerabilities.
We also realized the importance of automated code reviews and went ahead and implemented the same in our products. We also focussed on solution architecture and implemented measures like VPNs and firewalls to establish the first layer of physical security and win the trust of our early enterprise clients. Gradually, we were also able to comply with the established global standards like ISO, SOC-2, GDPR etc. and now have established ourselves as a security-centric organization and this has immensely helped us in winning over our clients.
Harshit: I couldn’t agree more with you. In my business journey also, I have realized that security is one of the most highly prioritized requirements of modern-day clients and one can never compromise on that.
Coming to my next question, Xoxoday has grown massively in the last 8-9 years and during this journey I am sure security practices have evolved for you with it. Can you share some pointers for all of us here on how you ensured that Xoxoday is built on security-first principles?
Srivatsan: It sure has been a pretty exciting journey and obviously our security practices have also evolved with it accordingly. We are now keenly focussing on making infosec a top priority for everyone across the organization and in order to execute this plan, we have introduced infosec training right from our induction programs. We have also made VAPT a regular practice in our organization across our mobile and web applications and other infrastructure components.
We now also ensure that security audits become a regular feature of our business strategy and we conduct continuous code reviews including both automated Lint based reviews and manual reviews as well. Around 6-8 months back, we introduced bug bounty programs to strengthen our security checkpoints even further. With this program, we are attracting expert security professionals to highlight the deeply rooted security loopholes in our systems and mitigate them as early as possible.
Harshit: It really pumps me up knowing that you guys are using bug bounty programs at your organization. Numerous security experts trying their hands at finding security issues across your products is certainly a big plus point.
Srivatsan: As Appknox itself comes from the background of security and leads the market in the mobile and application security domain, it would be great if you share some of the best practices related to security you have seen other companies follow and some of the practices that you always suggest to your customers.
Harshit: We have performed more than 5000+ Mobile and 500+ Web App Security Tests and while doing so, we realized that a lot of early-stage companies fall into the traps of security loopholes by missing even the most basic security checks. On the other hand, there have been instances where a lot of early-stage and growing companies have far more matured processes than some of the large-scale enterprises.
Some of the best practices I have across and usually recommend to my customers include using open-source tools for different security aspects like VPN from a very early stage of development. A tool called PRITUNL can be used for the same. Businesses can also use Cloudsploit for cloud security, Archery Sec and Faraday for VM Management, Snyk for source code security and much more. You can set it up without having much idea about security and once set up, it can help you ensure decent safety measures and as you grow you evolve these and onboard paid tools or work with vendors for the same.
However, despite strategizing and implementing the best possible security features and practices, there is a very big chance that you will get hacked. At this juncture, I would like to quote John Chambers who once said, “there are two types of companies: those that have been hacked, and those who don't know yet that they have been hacked". Said so, businesses should first try open-source tools and then move towards paid vendors once their understanding has matured. And as their DevOps implementation matures, it's best to shift towards DevSecOps and strengthen their security posture even further.
Srivatsan: That is some really valuable information you shared here Harshit. Also, I am sure you too would have faced a few instances of serious security incidents and some devastating hacking attempts. What are some of the major security incidents that you have encountered and how did you mitigate them? How do you deal with bug bounty issue submitters yourself?
Harshit: I recall several such incidents where hackers were able to exploit the vulnerabilities in products and sniff critical information. However, we have always managed to remediate such incidents with proper plans of action.
We also have faced several security incidents where bug bounty hunters have come to us with low severity security exploits that didn't lead to any significant data/information loss. Also, in some of the cases, we had a miss from our side and we later tried to acknowledge and reward the bug bounty submitters depending on the severity of the identified risk. We are definitely trying to work out a suitable policy for the same and we realize how important such efforts can be over time.
Srivatsan: Those are some serious lessons to be learned for everybody out there. Harshit, how have you found security first principles vary between enterprises, SMBs and Startups?
Harshit: At Appknox we have worked with a lot of companies and that too at different stages of their evolution. For early-stage companies, implementing some of the security-first principles is very critical. A lot of early-stage security practices like proper access control, secure architecture and cloud security can ensure long term security benefits. With a budget of less than a few thousand dollars, small businesses can achieve these security goals. Relying on certain open-source tools can also be a good start for them.
As a company grows, they generally have to introduce a lot of security features for the sake of compliance and regulations and they eventually need someone to chair the security council internally and drive key security practices as KPIs. Also, each team needs to have an owner to ensure that security is not implemented by force but by interest and understanding. Big enterprises generally have a CISO profile to drive and manage security practices and have a hefty budget for the same.
Key Takeaways from our 'Building Org-Wide Software Security Practices' Webinar
Importance of Continuous Security Testing
For any business, be it a budding local venture or a giant multinational organization, the effective management of security issues is a must for success. Moreover, it is important for organizations to continuously focus on the security aspects, as even a small hack can lead to a massive PR disaster for the company.
According to the IBM Cost of Data Breach research, the cost of a data breach has increased by over 10% in 2021 alone. With this increase, a data breach incident can cost more than $4.24 M on average for an enterprise. And even with these figures, around 80% of the organizations still lack an effective org-wide security strategy.
Relying on security testing can change this picture for your business. Continuous security testing is a rather straightforward process. It simply means that your security solutions should enable you to introduce security tests in the early stages of your SDLC and continuously monitor and fix a plethora of security vulnerabilities with very little effort.
The Transition from DevOps to DevSecOps
Introducing DevOps in your development culture is the best, but it’s even better if you go ahead with the transition from DevOps to DevSecOps. With DevSecOps, you can also give your development and other cross-functional teams training in some of the most efficient security practices to make them aware of the ongoing security requirements and remedies available.
You can start the transition by gradually letting the teams take up additional security tasks one by one. It would be great to start with malware scanning, pen-testing, automated code scanning and continuous security testing and incorporate more advanced security practices subsequently into your development process.
Once the security practices are implemented, the entire development process becomes faster, easier and much more efficient as security is prioritized at each and every step of the process. Transition to DevSecOps will not only improve the quality of code and the overall security posture but also reduce the volume of vulnerabilities and help build a security-centric and trustworthy application.
How to Safeguard your Software from Vulnerabilities in Real-time?
One of the essential requirements when it comes to building an org-wide security strategy is to be able to handle and remediate vulnerabilities as soon as they are detected. Let’s take a look at some of the key pointers highlighted during our webinar regarding protecting your software from critical vulnerabilities:
1) Introduce Security as Early as Possible
The importance of introducing privacy and security features early in your SDLC can’t be emphasized enough. If you implement security at later stages of development, it might cost you 2-5 times more in order to get things fixed.
2) Take a Security First Stance
Apart from your own product, the infrastructure used by your business partners and other third-party integrations are also a crucial part of your attack surface. So, it’s always advisable to choose your partners carefully and ensuring you scan your apps at least once every 6 months.
3) Set up and Stick to your Incident Response Plan
One of the best security practices almost every mature organization follows is to have a well-designed security incident response plan. Whenever a security incident occurs, it’s best to stick to the plan and take all the immediate steps in order to mitigate the issue.
4) Everyone is Responsible for Security
Security is always an org-wide effort. That is why it is essential to train every individual inside your organization in terms of security and help them understand the crucial role they can play in building a security-first organization.
Framework for Building a Security-First Company while Working Remotely
Maintaining an org-wide security posture is challenging in these times when remote work has become the new norm. However, with some simple steps, you can easily achieve this goal. Let’s take a look at some of the most important steps you can take to build a security-first culture within your company while your workforce works remotely:
1) Identify and Secure your Assets/Applications at Risk:
The preliminary step towards ensuring security is to have detailed information about your most vulnerable assets. Once you identify those assets, you can go ahead and work towards building a suitable security implementation strategy and take the necessary steps to safeguard those assets.
2) Educate your Teams on Phishing and Malware Attacks
In the remote working culture, hackers have also found several unique attack vectors to target businesses. Phishing and malware have become the primary attack vectors during these times and it has become more important than ever to train employees on cybersecurity best practices and safeguard them against vicious phishing attacks.
3) Use VPN
There are tonnes of opportunities for hackers to target and sniff sensitive business information while the employees access sensitive resources via the internet. That is why using a VPN (Virtual Private Network) becomes a must as it provides formidable security against external attacks and helps establish a secure connection between you and the internet.
4) Prioritize Risks Using a Scorecard (CVSS) and Perform Regular Risk Assessment
You can also use the CVSS (Common Vulnerability Scoring System) framework to prioritize the potential vulnerabilities based on severity. Also, performing regular security tests will help keep those vulnerabilities at bay and also ensure that the identified vulnerabilities are mitigated as early as possible.
5) Implement Automated Security Solutions
Implementing and utilizing automated security solutions helps you achieve multiple security goals. It can help you manage alerts from a wide range of attack vectors and quickly determine how much attention the identified vulnerabilities require. However, while selecting security solutions and choosing your vendors, you must keep these points in mind:
- Always check their Gartner/G2 and other public forum customer reviews.
- Do a proper analysis on the costs involved vs the returns expected (ROI).
- You can also compare workforce costs vs the cost of using an automated product.
- Always compare the functionalities of open-source and proprietary tools and choose based on your requirements.
There is no denying the fact that security has evolved to become the part and parcel of modern-day businesses and building an organization-wide security strategy and promoting crucial security practices can certainly go a long way.
In our webinar, we tried to establish a detailed conversation around the security-related experiences business leaders have during the evolution journey of their business and how this experience can be used to establish some of the best org-wide practices and ensure a massive competitive advantage over your peers.