Bionic Uncensored: Securing Business Critical Apps in Production

According to Business Wire, 75% of CISOs are concerned that too many application vulnerabilities leak into production, despite a multi-layered security approach.

Why do you think this is?

The new fad is shifting left – meaning application security isn’t focused on securing your business-critical applications in production.

Companies are using incomplete application maps produced by Visio diagrams or APM tools and relying on CSPM (or another cloud/container security tool) to secure their “apps” in production.

In this episode of Bionic Uncensored, Matt Rose explores:

  • The main target for most hackers
  • Different security tools used to try and secure applications
  • Different development stages of application security
  • How ASPM differentiates itself from other AppSec and CloudSec tools

Watch the full episode to learn how to create a complete application security and cloud security program that will help you secure business-critical applications in production.

Watch the Full Episode

Top 3 Takeaways

Takeaway #1: Application Security in Development Stages

In cloud-native development, you have multiple development teams that individually check code into a repo. CI/CD processes are then in charge of collecting and compiling the artifacts and passing the compiled code to the cloud for deployment.

SCA (software composition analysis) tools typically can be configured to scan specific components of applications (such as open source packages) in the repo as well as in CI/CD pipelines. 

SAST tools are also introduced into the CI/CD pipelines and in the Dev environments to automate scanning of application components to look for common OWASP Top 10 vulnerabilities.

Multiple pipelines create a gap between the different vulnerabilities that are discovered and there typically isn’t an easy way to correlate vulnerabilities found in Dev 1 vs Dev 2 & 3.

Securing business critical apps pre-production

Takeaway #2: Application Security in the Cloud Environment

Once the compiled artifacts are deployed into the cloud environment, DAST solutions can also be introduced to create “what if” scenarios and try to hack into your applications. 

DAST can be deployed in production, but they use agents that carry a lot of weight and can cause slow performance of apps. Typically we see DAST deployed in pre-production environments.

The primary list of tools that are scanning the cloud environment in production focus on the cloud infrastructure, not the applications that run inside the cloud environment. These include tools like CSPM, CWPP, and CNAPP.

Takeaway #3: Application Security Posture Management in Production

The gap in knowledge between Dev 1, 2, & 3 is the communication between the components.

Dev 1 and Dev 2 are connected via a data flow of PII data, but Dev 1 may be making an API call to an internet-facing service. If you are finding critical vulnerabilities in Dev 1 that are marked “not-critical” because there is no sensitive data being exposed, you may not prioritize fixing this risk in the repo or build stage of development.

That means there is a critical business risk in production that goes unnoticed or ignored.

Don’t believe us? Peloton was notified of an unauthenticated API that they knew about. Hackers gave them a 90-day deadline to fix the bug, but they decided to ignore the request. The result? Millions of PII data records are potentially exposed.

The gap that needs to be filled here is where ASPM comes into the picture – a complete application architecture map that is up-to-date with your production environment.

You need to completely investigate what your business-critical risk posture of applications is in production.

Want to learn more? Check out 6 tools used to secure business-critical applications.

Did you find this blog helpful or interesting?

Click the social media button of your choice to share the blog with you friends and colleagues.

See a Live Demo of the Bionic Platform