The key to improving cloud app security, even with shortened life cycles, is to move from DevOps to DevSecOps. This means digital defense is not a separate task or duty but instead mixed throughout the development process.
- Train developers to fix defense issues while doing their work. Start by knowing the most common security issues in your apps. Then, create a training program aimed at preventing these issues in advance and spotting other possible issues, such as cross-site scripting (XSS), after they have been used against you. Next, empower your team to fix issues during process, which saves time finding and correcting openings later.
- Use built-in Windows protection features. Microsoft offers features targeting static sections of the operating system’s memory. Both address space layout randomization and data execution prevention are available to all app developers.
- Include dynamic application security testing (DAST) in your development cycle. By its very nature, the DAST process helps find possible issues in advance. Because static application security testing (SAST) often gives many false positives that take a lot of time to resolve, DAST is often more efficient.
- Use prepared statements for database query. To reduce the structured query language (SQL) injection attack, which is a top concern, train developers on app-building techniques that prevent this type of attack. If developers use prepared statements or stored procedures, threat actors cannot insert an SQL statement in the input field. This prevents cyber criminals from seeing the database contents or inserting malware into the database.
- Focus on governance. Many groups shorten their app development life cycle by using low-code platforms, which allows non-developers to build apps. Because both the platforms and using citizen developers can increase risks, companies must build data governance into the life cycle.
- Automate governance. Adding governance into the process can lengthen the times it takes to do the job. By also using tools and platforms that automate data governance businesses can increase their odds of meeting both goals being fast and secure. Look for chances to use automation to test data usage throughout the process instead of waiting to the end, to avoid adding time to the cycle if issues are discovered as the app is heading out the (virtual) door.
- Encrypt sensitive data. The heart of most apps involves transferring data, which means that sensitive data is at risk both while at rest and in transit. By encrypting data, you can make it much more secure. However, resist the temptation to build your own encryption and instead opt for already built tools or trusted techniques.
With every development day costing money, it’s natural to be tempted to leave defense until the end and then try to complete the job as quickly as possible. Instead, pause and take the time to redesign the application process with protection built into each step. You just might get to the end and be able to honestly check off all four boxes — good, fast, cheap and secure.