12 key application security best practices

1. Understand the requirements

When developing or adopting an application, define the app, what it will do, its scope of activities, who will access it and other criteria defined by the business units using it. This step includes identifying all resources -- e.g., system, networks and cloud services -- that will use the application, as well as its dependencies. Creating a software bill of materials is important in this step.

2. Secure management authorization and funding

Ensure senior management, especially within the IT department and business unit, has reviewed the proposed application and approves the work and necessary funding.

3. Shift left to secure each step of the SDLC

Shifting security left in the SDLC refers to integrating security earlier in the development process rather than addressing them during testing or after deployment. This proactive approach is key to mitigating threats and ensuring secure coding practices while also leading to faster delivery of high-quality software.

Learn more about the DevSecOps practices that help shift security left.

4. Develop a defense-in-depth strategy

Ensure the overall application security strategy is designed to address and mitigate a wide variety of events using a defense-in-depth approach that involves a range of security tools. Adding layers of protection improves security because attackers would need to compromise multiple defenses to reach the application.

5. Conduct risk, threat and vulnerability analyses

These activities identify issues and situations that could affect the application's security posture. Perform analysis prior to coding or before an off-the-shelf application enters production environments. Outputs include identifying potential security events and their worst-case outcomes, as well as single points of failure.

Schedule periodic risk analyses to ensure security measures continue to address applicable risks, threats and vulnerabilities.

6. Identify and implement security controls

Factor the following controls into the app's development and ongoing management. Review them continuously during each stage of the SDLC, including regularly after deployment into production:

• Access controls. Prevent unauthorized access to the application and its data. Implement zero-trust network access, which assumes all access attempts are risky and should not be trusted until sufficient verification has been completed.
• Authentication controls. Verify that the individuals seeking access are who they claim to be. Implement MFA.
• Authorization controls. Verify that the people requesting access to an app are approved for such access. Use role-based access control, which links app access to a person's job and responsibilities, and the principle of least privilege, which provides users access to only the resources they need to do their jobs -- and nothing else.
• Corrective controls. Address and mitigate security problems. Actions could include shutting down an app that is suspected of permitting a breach or installing a security patch.
• Detection controls. Once an app is in production, identify security events using technologies including firewalls, intrusion detection systems (IDSes) and application scanning tools.
• Encryption controls. Activate at the network and app levels. Encrypt data input and output, and data in motion and at rest to prevent unauthorized access.
• Logging controls. Track activity by application. This helps identify suspicious traffic and behaviors, while also providing important metrics for measuring application performance.
• Preventive controls. Build into the application so they are in place when the app goes live. These controls are designed to block unauthorized attempts to access the app and its data. Technologies include firewalls and intrusion prevention systems (IPSes).
• Security-testing controls. Identify weaknesses and vulnerabilities in the app. These essential capabilities are especially important during the development and testing stages. Learn about the key types of application security testing.

7. Use secure coding methods

When coding a new application or identifying ways to modify an existing or off-the-shelf product, apply industry standards, guidance and checklists to ensure secure coding methods and security practices. For example, consider "NIST Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations" and the "OWASP Web Security Testing Guide."

8. Address API security

APIs are ubiquitous elements in application programming -- and popular targets for attackers. APIs typically include key attributes of an application, such as programming logic and security credentials. Be sure your app strategy addresses API security threats.

9. Use powerful logging and monitoring.

Protect data logs from unauthorized access. Strong monitoring helps security teams identify suspicious data traffic and potential vulnerabilities, and optimizes event analysis and mitigation.

10. Establish an incident response plan

Incident response plans help ensure a rapid and coordinated response to suspicious traffic or other security events. Create a plan that is flexible enough to respond to a variety of security threats, and specify the roles and responsibilities of the incident response team. Schedule incident response exercises to ensure the team is prepared for an event.

11. Update security resources

Best practices include keeping firewall rules current, ensuring IDS/IPS software is up to date and patching security software regularly.

12. Consider using AI

AI has become a significant component of enterprise security, including application security. Many security products incorporate AI to provide capabilities that might not otherwise be available.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.