While compliance ensures steady improvements to application security, the cadence of upgrades is not enough to meet best practice or evolving customer expectations.
Internet-based applications might run the digital world, but their security is an ever-present concern, and the consensus is that more needs to be done, and fast, to build (or rebuild) a foundation of trust.
Modern digital experiences are powered by interactions between web application servers and scripts that run on a user machine. Web application developers often utilise common third-party scripts, code libraries, and dependencies to build their public-facing web applications. This principally saves time and effort compared to coding from scratch, but using common building blocks also improves compatibility across devices.
But use of third-party scripts comes with software supply chain risks. They can contain security vulnerabilities from the outset or be susceptible to quiet modification by attackers, inserting malicious code that then gets unknowingly incorporated into web applications where it can remain undetected for long enough to compromise thousands of users and transactions.
With web applications being developed and brought to market faster than ever – recent research points to a 39% rise in web applications and websites in the next two years, “rising from an average of 145 to 201 per organisation” – security teams are struggling with this pace of development, and it’s showing, with attacks on the rise.
Compliance does not equal security
Aware of the threat, the payment industry has worked recently to impose additional security standards on web application owners, requiring them to inventory all scripts in use, confirm scripts are uncompromised, and have an alerting system in place if possible compromises are detected.
More than that, the latest version of the payment industry standard PCI DSS is driving a more fundamental change in how web applications are architected and tested. The intent is to elevate the testing of security and compliance controls from being an audit response to a continuous and iterative activity: where testing occurs early in the development cycle, and often thereafter.
This isn’t compliance overreach as much as a push to adopt application security best practices.
Some best practices have been slow to be incorporated into compliance regimes – specific requirements around web application security are notably absent from the Essential 8, for example, although we anticipate some movement on that front in coming years.
By contrast, these best practices are already on the radars of leading software engineering functions, where there’s been a trend in recent years towards DevSecOps and a ‘shift left’ philosophy driving security more deeply into software design.
Leading organisations are complementing their secure-by-design approach to software development with defence-in-depth layered protections for their application servers and specific measures to detect and block client-side attacks. Next-gen web application firewalls (WAFs) have a key and ongoing role to play here.
What’s important now is that more organisations go down this path. In doing so, they would not just be proactively preparing themselves to meet future revisions to compliance rules or industry best practice. More critically, they’d be meeting customer expectations for the level of security that should be present when transacting on the web.
WAF choice decides an organisation’s fortunes
For application security to really advance, it needs to move beyond upgrades that are tied to compliance cycles. At the end of the day, these cycles encourage only a baseline amount of action, and the gap between those actions and what is considered to be the benchmark in security is widening by the day.
Realistically, organisations with public-facing web applications that want to maintain their license to operate need to adopt a more proactive stance to security testing and monitoring.
This kind of posture is good for all types of organisations.
For those that are traditionally compliance-driven, the ability and activity of security testing early and often in the software development lifecycle better prepares them to meet rapidly evolving threats, as well as future sets of revised security obligations that may be imposed upon them.
Updates to PCI DSS tend to come every few years. Organisations with a proactive, secure-by-design and customer-focused security ethic are more likely able to stay one or more steps ahead of compliance requirements.
It is also good for most types of Australian organisations. Secure-by-design principles are a key tenet of the country’s latest cyber security strategy, and realistically most organisations will need to demonstrate they have embraced these principles to meet their obligations by 2030.
WAFs are a critical piece of any application security puzzle
A Next-Gen WAF, in particular, can provide advanced web application and API protection (WAAP) for applications, APIs, and microservices. Ideally, it should be capable of highly accurate decisions; be able to be flexibly deployed in any environment to protect apps and APIs wherever they are – in containers, on-prem, in the cloud, or on the edge; and integrate seamlessly into the organisation’s DevSecOps stack, making security simple for everyone.
The ultimate aim is to deliver more secure web applications and digital experiences to users faster, with fewer vulnerabilities, and the capability to detect and remediate any residual risks. Making the right choice of WAF is a deterministic factor in an organisation’s success in this regard.
