Application security, or AppSec, is one of the fastest-growing areas of cybersecurity — and for good reason.
Whether you’re talking about a web, mobile, or desktop app, a cybersecurity breach can lead to serious consequences, including sustained downtime and large financial losses. In 2022, the average cost of a data breach was approximately $4.35 million, according to research from IBM.
Apps face a higher risk of attack because they’re more complex and are increasingly likely to be cloud-based, increasing the potential openings for intruders. And because of their function, they usually must grant users some access to their data and systems. Even an app with excellent controls can be at risk if it has a vulnerability.
“Kind of out of necessity, the application has to have access to sensitive information in order to do its job,” said Victor Teissler, Director of Offensive Security at Digital Silence, a boutique cybersecurity firm based in Denver. “That is kind of a direct path for an attacker to get access.”
More organizations are hiring cybersecurity contractors to conduct application security reviews that identify potential attack vectors and develop countermeasures like application firewalls, code reviews, internal testing and monitoring.
But these reviews can represent a significant investment in both time and money. To ensure they receive the greatest benefit from app security testing, businesses should keep the following in mind, Teissler said.
Be clear about the scope of the app security test.
When hiring a contractor, make sure to get quotes from multiple vendors and understand what each scope contains, so you can make accurate comparisons between what’s being offered.
The best cybersecurity teams usually incorporate testing methodologies and best practices from one or all of the following:
- OWASP Top 10 Testing Methodology
- Open Source Security Testing Methodology Manual (OSSTMM)
- Council of Registered Ethical Security Testers (CREST)
Using these standards will increase the likelihood that your testers will find the most common types of security problems, like cross-site scripting, where an attacker can insert code in an application, which is then loaded into another user’s browser and does something malicious.
The testing methodologies are periodically updated to highlight new threats. Your testers should be staying up to date on the latest cybersecurity trends, too.
“The evolving threat landscape requires us to keep our finger on the pulse and be aware of what’s out there,” Teissler said.
Also, the security review shouldn’t end with the standard tests. It should also account for the app’s unique configurations and needs.
“Not every customer has a well-designed or robust threat model and risk assessment,” Teissler said. “They might not know what to focus on, so we’ll help them with that.”
For example, an app that processes credit card information might not encrypt that data at rest. The reviewers would point out the potential risk and ask them to focus on that.
Scale the review to the size and complexity of the app.
The length of the test really depends on the scale of the app being investigated. For example, a basic to-do list app might take only a few hours because its functionality is relatively basic. A more complex app could take much longer to review.
“Is it multi-tenanted?” Teissler said. “Are there multiple user roles? Are there a lot of dynamic pages that each accept input from the user? We’ll take all this information, and if we’re still unclear, we’ll ask the client to show us the application.”
Verify that a senior technical resource will be part of app testing.
Before committing to a vendor, ask who will oversee your app’s security review.
Some cybersecurity firms will showcase their most experienced staffers during the sales process, when in reality, junior employees will perform most of the testing.
“The security industry is rife with companies that don’t do a great job,” Teissler said. “There are a lot of companies that would just run some automated tools and try to hastily put together something that resembles a real penetration test and real findings. But it’s not the same.”
Keep an open mind.
“From my perspective, the clients that seem to benefit the most are the ones that are the most open-minded and collaborative about the feedback,” said JT Gaietto, Principal and Chief Security Officer (CSO) at Digital Silence.
That’s not always easy because sometimes the stakeholders are the people who originally built the app. It can be difficult to hear about potentially severe gaps in its security.
Ultimately, the testers are there to make the app safer and stronger.
“It’s important to us that our clients and the people working with our clients know that we’re all on the same team,” Teissler said. “We’re here to help improve things.”