Application security best practices and trends [Q&A]
Businesses today face a wider and more dangerous array of cybersecurity threats than ever before. In the UK alone there were more than 400,000 reports of fraud and cybercrime in 2021. Those crimes come with significant costs too. In addition to the reputational damage that comes with cybersecurity incidents, data breaches cost UK companies an average of US$4.35 million.
That makes it critical that organizations have the best possible cyber defences in place, not just for the threats they face today but also for those of tomorrow. This is especially true for business-critical applications like ERP systems that need to be run continuously in order for the organization to keep operating smoothly and servicing its customers.
We spoke to JP Perez-Etchegoyen, CTO of cybersecurity solutions company Onapsis, to discuss how it approaches vulnerability management and application security, the practices organizations should adopt in order to stay safe and what he thinks the future of cybersecurity might look like.
BN: What's the background to your company's role in cybersecurity?
JPE: Onapsis' founding dates back to the 2000s. Back then, all three founders were ethical hackers, working for a well-known security consulting organization in Argentina, servicing customers all over the world. When a customer hired them to try and hack into its applications to uncover vulnerabilities, Onapsis CEO, Mariano Nunez noticed that it was running on SAP (one of the world’s largest enterprise software platforms) and uncovered several major vulnerabilities.
He realized that the security community had neglected SAP and realized there was an opportunity for a company that could detect vulnerabilities and build defenses for companies running its software. Today, the company has more than 300 clients around the globe, including 20 percent of Fortune 500 companies.
BN: Why is your platform different?
JPE: We're the only vulnerability management and application security provider that deals specifically with business-critical applications running on SAP, Oracle, and Salesforce. Our products are able to manage vulnerabilities, detect and respond to threats, test application security, and automate compliance. The combined features of these products make it easier to identify and quickly shut down threats.
We're also aware, however, of the constant need to evolve and have introduced several new offerings over the past few months. These include Onapsis Assess Baseline, which accelerates enterprises’ abilities to kickstart their SAP vulnerability management programs, and enhanced information security solutions for our Defend and Assess products. We have also recently announced the release of our Threat Intel Center which connects the Onapsis Threat Intelligence Cloud, a global network of sensors and applications instrumented to capture the activity of attackers exploiting mission-critical applications, and deep research conducted by the ORL into a unified, detailed threat intelligence repository.
BN: Why have a separate research labs arm?
JPE: The primary role of Onapsis Research Labs is to track, identify, and defend against a constant stream of emerging cyber threats. The labs team of cybersecurity experts not only uses their knowledge to improve the Onapsis platform but also to share advisories, publications, and threat reports to customers. To date, Onapsis Research labs has uncovered more than 800 zero-day vulnerabilities, and many of the critical findings led to global CERT alerts.
The strength of this division is perhaps illustrated by its most recent discovery of three critical vulnerabilities within Internet Communication Manager, a core component of SAP business applications. These vulnerabilities have since been patched by SAP but Onapsis customers were protected right away, thanks to updates delivered directly through the Onapsis platform.
BN: What does the application security testing process look like?
JPE: Our automated security testing is designed specifically for SAP applications. By using our solution, organizations can identify errors before they enter the production phase and before they have a chance to impact application security, compliance, availability, or performance. The platform also allows organizations to inspect third-party or internal custom code throughout the application development cycle to ensure that vulnerabilities aren’t introduced at any point. This is completely integrated into the development process so developers can fix the issues earlier and with minimal cost, as opposed to having to fix them in production with extremely high cost and impact.
BN: Can you give us some top tips for keeping applications safe?
A: For business-critical applications in particular there are two things that IT teams should focus on: patch management and vulnerabilities in custom code.
Focusing on patch management should be a given for any IT team. After all, if cybercriminals are constantly looking out for vulnerabilities, you should aim to close them up as quickly as possible. Unfortunately, it's something that a lot of organizations aren't very good at. In fact, research shows that it can take up to 97 days for an organization to go from discovering a vulnerability to applying, testing, and fully implementing a patch. If you figured out an easy way to break into your house, you wouldn't fail to properly address it for more than three months, so why treat an organizational vulnerability any differently? The case for rapidly implementing patches becomes even stronger when critical SAP flaws have been weaponized within 72 hours or less of a patch release.
Most organizations also, to some degree at least, use custom code to ensure that their business-critical applications match their needs. The trouble is, custom code can be highly susceptible to vulnerabilities. Automated solutions that can quickly scan thousands of lines of code and identify potential vulnerabilities can help ensure that custom code is much less of a threat.
BN: What are some of the most significant emerging cybersecurity trends?
JPE: Perhaps the biggest and most important emerging trend is the realization that, even with the best defenses in place, breaches can and do still occur. There have been enough major incidents over the past few years (including the Colonial Pipeline, Log4j, and Kaseya ransomware attacks) that this should be obvious. It's therefore critical that organizations have incident response playbooks. These playbooks should outline potential cyberattack scenarios with highly detailed remediation plans. With the right incident response plans in place, organizations can resume business faster and restore customer confidence.
In doing so, it's critical that they have the buy-in of the entire organisation. One of the best ways of achieving this is to make cybersecurity feel as accessible as possible. Here, cybersecurity frameworks such as the NIST Cybersecurity Framework can be incredibly helpful.
Image credit: Pixabay