They say you can only have two of three — fast, good and cheap. When it comes to developing cloud-based applications, I think that a fourth criteria should be added: secure. But, I honestly don’t think that this common advice to project managers who work in today’s market. Successful developers who take cloud app security seriously must meet all four.

In recent years, many organizations focused on reducing development time, meaning life cycles are now very short. Deloitte research found that organizations are now expected to deliver projects four times faster, but with the same budget. The biggest reason for the rush to the finish line is money.  A shorter cycle means less development costs, quicker time to market and lower lost opportunity cost.

Shorter Cycles Mean Less Cloud App Security

However, the intense focus on time often means increasing risk. Yes, sometimes cloud-based apps get into customers’ hands quicker by skipping security steps and testing. But even with these processes still in the life cycle, the rush to the finish line can mean errors and shortcuts that create risks by mistake that in the long run can cost more — often much more — than coming out a few days (or even weeks) later. Security issues don’t always just affect the app at hand. Rushing cloud app development can also create openings in the development infrastructure, putting future apps as well as company data at risk.

Businesses must carefully consider the increased risks of a shorter app development cycle and work to balance these risks before an attack happens. By making strategic decisions involving security and development time in advance, businesses can deliver secure apps without losing market time.

Keys to Improving Cloud App Security At Speed

The key to improving cloud app security, even with shortened life cycles, is to move from DevOps to DevSecOps. This means digital defense is not a separate task or duty but instead mixed throughout the development process. 

Here are some cloud app security best practices you can use while getting to market in a short amount of time:

  • Train developers to fix defense issues while doing their work. Start by knowing the most common security issues in your apps. Then, create a training program aimed at preventing these issues in advance and spotting other possible issues, such as cross-site scripting (XSS), after they have been used against you. Next, empower your team to fix the issues during the process, which saves time finding and correcting openings later.
  • Use built-in Windows protection features. Microsoft offers features designed to protect against a common tactic, targeting static sections of the operating system’s memory. Both address space layout randomization and data execution prevention are available to all app developers. However, a recent survey by Secunia found that around 50% of apps do not use this feature. Using these features does not add major development time, but it does increase security for the apps.
  • Include dynamic application security testing (DAST) in your development cycle. By its very nature, the DAST process helps find possible issues in advance. Because static application security testing (SAST) often gives many false positives that take a lot of time to resolve, DAST is often more efficient.  
  • Use prepared statements for database query. To reduce the structured query language (SQL) injection attack, which is a top concern, train developers on app-building techniques that prevent this type of attack. If developers use prepared statements or stored procedures, threat actors cannot insert an SQL statement in the input field. This prevents cyber criminals from seeing the database contents or inserting malware into the database.  
  • Focus on governance. Many groups shorten their app development life cycle by using low-code platforms, which allows non-developers to build apps. Because both the platforms and using citizen developers can increase risks, companies must build data governance into the life cycle.
  • Automate governance. Adding governance into the process can lengthen the times it takes to do the job. By also using tools and platforms that automate data governance, businesses can increase their odds of meeting both goals — being fast and secure. Look for chances to use automation to test data usage throughout the process instead of waiting to the end, to avoid adding time to the cycle if issues are discovered as the app is heading out the (virtual) door.
  • Encrypt sensitive data. The heart of most apps involves transferring data, which means that sensitive data is at risk both while at rest and in transit. By encrypting data, you can make it much more secure. However, resist the temptation to build your own encryption and instead opt for already built tools or trusted techniques.

With every development day costing money, it’s natural to be tempted to leave defense until the end and then try to complete the job as quickly as possible. Instead, pause and take the time to redesign the application process (and re-evaluate it for each app) with protection built into each step. You just might get to the end and be able to honestly check off all four boxes — good, fast, cheap and secure.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…