They say you can only have two of three — fast, good and cheap. When it comes to developing cloud-based applications, I think that a fourth criteria should be added: secure. But, I honestly don’t think that this common advice to project managers who work in today’s market. Successful developers who take cloud app security seriously must meet all four.

In recent years, many organizations focused on reducing development time, meaning life cycles are now very short. Deloitte research found that organizations are now expected to deliver projects four times faster, but with the same budget. The biggest reason for the rush to the finish line is money.  A shorter cycle means less development costs, quicker time to market and lower lost opportunity cost.

Shorter Cycles Mean Less Cloud App Security

However, the intense focus on time often means increasing risk. Yes, sometimes cloud-based apps get into customers’ hands quicker by skipping security steps and testing. But even with these processes still in the life cycle, the rush to the finish line can mean errors and shortcuts that create risks by mistake that in the long run can cost more — often much more — than coming out a few days (or even weeks) later. Security issues don’t always just affect the app at hand. Rushing cloud app development can also create openings in the development infrastructure, putting future apps as well as company data at risk.

Businesses must carefully consider the increased risks of a shorter app development cycle and work to balance these risks before an attack happens. By making strategic decisions involving security and development time in advance, businesses can deliver secure apps without losing market time.

Keys to Improving Cloud App Security At Speed

The key to improving cloud app security, even with shortened life cycles, is to move from DevOps to DevSecOps. This means digital defense is not a separate task or duty but instead mixed throughout the development process. 

Here are some cloud app security best practices you can use while getting to market in a short amount of time:

  • Train developers to fix defense issues while doing their work. Start by knowing the most common security issues in your apps. Then, create a training program aimed at preventing these issues in advance and spotting other possible issues, such as cross-site scripting (XSS), after they have been used against you. Next, empower your team to fix the issues during the process, which saves time finding and correcting openings later.
  • Use built-in Windows protection features. Microsoft offers features designed to protect against a common tactic, targeting static sections of the operating system’s memory. Both address space layout randomization and data execution prevention are available to all app developers. However, a recent survey by Secunia found that around 50% of apps do not use this feature. Using these features does not add major development time, but it does increase security for the apps.
  • Include dynamic application security testing (DAST) in your development cycle. By its very nature, the DAST process helps find possible issues in advance. Because static application security testing (SAST) often gives many false positives that take a lot of time to resolve, DAST is often more efficient.  
  • Use prepared statements for database query. To reduce the structured query language (SQL) injection attack, which is a top concern, train developers on app-building techniques that prevent this type of attack. If developers use prepared statements or stored procedures, threat actors cannot insert an SQL statement in the input field. This prevents cyber criminals from seeing the database contents or inserting malware into the database.  
  • Focus on governance. Many groups shorten their app development life cycle by using low-code platforms, which allows non-developers to build apps. Because both the platforms and using citizen developers can increase risks, companies must build data governance into the life cycle.
  • Automate governance. Adding governance into the process can lengthen the times it takes to do the job. By also using tools and platforms that automate data governance, businesses can increase their odds of meeting both goals — being fast and secure. Look for chances to use automation to test data usage throughout the process instead of waiting to the end, to avoid adding time to the cycle if issues are discovered as the app is heading out the (virtual) door.
  • Encrypt sensitive data. The heart of most apps involves transferring data, which means that sensitive data is at risk both while at rest and in transit. By encrypting data, you can make it much more secure. However, resist the temptation to build your own encryption and instead opt for already built tools or trusted techniques.

With every development day costing money, it’s natural to be tempted to leave defense until the end and then try to complete the job as quickly as possible. Instead, pause and take the time to redesign the application process (and re-evaluate it for each app) with protection built into each step. You just might get to the end and be able to honestly check off all four boxes — good, fast, cheap and secure.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today