Applications are proliferating, which is great for business, but less than great for security. That’s because many organizations are still following cybersecurity practices designed to protect an older IT world based on hardware located in offices and data centers.
But today applications are everywhere, making that security approach not only obsolete, but also extremely risky.
Today’s applications are just as likely to be run on a smartphone, tablet or laptop as they are to be on a permanently located desktop — perhaps even more so. In a broad range of industries, offering seamless, secure access to information is pretty much a core business requirement. Think of the web and mobile apps you use for banking, shopping, transportation, finding restaurants, reading the news and maybe even obtaining healthcare.
Applications are also the doorway to your organization’s data. That’s why securing this doorway is so vital. If criminals can tamper with an application’s code, they can eventually gain access to the data behind it. This new situation demands an equally new approach to cybersecurity.
However, securing disparate apps is far more complicated than protecting hardware in the data center. Those centralized hardware systems were typically part of an integrated network. Endpoint devices could be scanned with relative ease, ensuring that they had the latest security updates and patches. By comparison, today’s applications are far more complex and fragmented. That can make them more difficult to monitor and protect.
Opportunity vs. risk
There’s good news though: The rise of applications has transformed how organizations operate and created new business opportunities. The rise of apps has even enabled the creation of entirely new and powerful brands; think Uber, Airbnb and TikTok.
In this environment, developers face pressure to design, program, test and release applications faster and faster. Further accelerating this already speedy pace are new technologies and approaches, including the cloud, open source software, DevOps approaches and Agile development techniques.
Another source of pressure comes from compliance and regulatory requirements, whether from governments or industry bodies. In the European Union (EU), applications must protect the privacy of users as defined by the EU’s General Data Protection Regulation (GDPR) rules. In the United States, the Children’s Online Privacy Protection Act (COPPA) requires apps to protect the privacy of children under the age of 13. Other geographic regions and vertical industries have regulations of their own, making the job of application compliance a big one.
Read about DXC's new and strategic approach to software testing, Intelligent Testing as a Service (ITaaS).
New challenges
Taken together, these and other new developments present organizations with a long list of serious challenges. These include:
- Many organizations lack the visibility and transparency needed to manage application security in the new IT landscape.
- Application security is often fragmented in virtual islands that are disconnected from information security risk and compliance management.
- Given the velocity requirements of modern applications, conventional point-in-time application security treatments — that is, identifying issues and remediating them on a periodic rather than continuous basis — have become a hurdle.
- Conventional QA/testing to detect application security issues are out of sync with new development approaches. One result: too many findings are identified at the development process’s tail end.
- Many organizations lack auditability in terms of consolidating technical and organization measures. Yet this is needed to demonstrate conformance with security practices for protecting applications.
- The pressure to release applications ever faster can result in the propagation of security risks to production. This can also lead to higher remediation costs.
How DXC can help
DXC Technology offers an adaptive application security service that can design a tailored service for you. This will align with your technology environment and information security management framework, using automation as the foundation and driving principle.
DXC’s solution employs what we call an adaptive, prevention-first framework. This integrates security by “shifting left” in the development life cycle so that security measures are applied early. And it means scanning not from time to time, but instead continuously. It also means monitoring not only hosts and servers, but also applications.
The DXC framework ensures that you’ll have no surprises at deployment. Security is governed by a designed policy framework throughout the code progression in the pipeline.
DXC’s prevention-first framework also reduces security risk propagation, provides adequate time for remediation, complements velocity goals, and reduces remediation costs. By lowering or even eliminating security risks and liabilities with DXC’s help, your organization can enjoy a full, secure path from code to deployment.
You can also improve your compliance with government and industry regulations, shine during annual security audits, and make changes in your IT ecosystem leading to the development of software that’s highly secure.
Learn more about Infrastructure, App and Data Protection
About the author
Liju Kurian is the application security capability lead at DXC Technology, with over 25 years of experience building application security solutions and services to solve customer challenges. Liju is responsible for building the strategy and portfolio while working with key partners and customers. A CISSP-, CISA-certified professional, he holds a master’s degree in networking and internet engineering and a bachelor’s degree in computer science engineering.