They say you can only have two of three — fast, good and cheap. When it comes to developing cloud-based applications, I think that a fourth criteria should be added: secure. But, I honestly don’t think that this common advice to project managers who work in today’s market. Successful developers who take cloud app security seriously must meet all four.

In recent years, many organizations focused on reducing development time, meaning life cycles are now very short. Deloitte research found that organizations are now expected to deliver projects four times faster, but with the same budget. The biggest reason for the rush to the finish line is money.  A shorter cycle means less development costs, quicker time to market and lower lost opportunity cost.

Shorter Cycles Mean Less Cloud App Security

However, the intense focus on time often means increasing risk. Yes, sometimes cloud-based apps get into customers’ hands quicker by skipping security steps and testing. But even with these processes still in the life cycle, the rush to the finish line can mean errors and shortcuts that create risks by mistake that in the long run can cost more — often much more — than coming out a few days (or even weeks) later. Security issues don’t always just affect the app at hand. Rushing cloud app development can also create openings in the development infrastructure, putting future apps as well as company data at risk.

Businesses must carefully consider the increased risks of a shorter app development cycle and work to balance these risks before an attack happens. By making strategic decisions involving security and development time in advance, businesses can deliver secure apps without losing market time.

Keys to Improving Cloud App Security At Speed

The key to improving cloud app security, even with shortened life cycles, is to move from DevOps to DevSecOps. This means digital defense is not a separate task or duty but instead mixed throughout the development process. 

Here are some cloud app security best practices you can use while getting to market in a short amount of time:

  • Train developers to fix defense issues while doing their work. Start by knowing the most common security issues in your apps. Then, create a training program aimed at preventing these issues in advance and spotting other possible issues, such as cross-site scripting (XSS), after they have been used against you. Next, empower your team to fix the issues during the process, which saves time finding and correcting openings later.
  • Use built-in Windows protection features. Microsoft offers features designed to protect against a common tactic, targeting static sections of the operating system’s memory. Both address space layout randomization and data execution prevention are available to all app developers. However, a recent survey by Secunia found that around 50% of apps do not use this feature. Using these features does not add major development time, but it does increase security for the apps.
  • Include dynamic application security testing (DAST) in your development cycle. By its very nature, the DAST process helps find possible issues in advance. Because static application security testing (SAST) often gives many false positives that take a lot of time to resolve, DAST is often more efficient.  
  • Use prepared statements for database query. To reduce the structured query language (SQL) injection attack, which is a top concern, train developers on app-building techniques that prevent this type of attack. If developers use prepared statements or stored procedures, threat actors cannot insert an SQL statement in the input field. This prevents cyber criminals from seeing the database contents or inserting malware into the database.  
  • Focus on governance. Many groups shorten their app development life cycle by using low-code platforms, which allows non-developers to build apps. Because both the platforms and using citizen developers can increase risks, companies must build data governance into the life cycle.
  • Automate governance. Adding governance into the process can lengthen the times it takes to do the job. By also using tools and platforms that automate data governance, businesses can increase their odds of meeting both goals — being fast and secure. Look for chances to use automation to test data usage throughout the process instead of waiting to the end, to avoid adding time to the cycle if issues are discovered as the app is heading out the (virtual) door.
  • Encrypt sensitive data. The heart of most apps involves transferring data, which means that sensitive data is at risk both while at rest and in transit. By encrypting data, you can make it much more secure. However, resist the temptation to build your own encryption and instead opt for already built tools or trusted techniques.

With every development day costing money, it’s natural to be tempted to leave defense until the end and then try to complete the job as quickly as possible. Instead, pause and take the time to redesign the application process (and re-evaluate it for each app) with protection built into each step. You just might get to the end and be able to honestly check off all four boxes — good, fast, cheap and secure.

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…