Skip to main content

4 application security bad habits to ditch in 2023 (and best practices to adopt instead)

Artikel von:
blog-hero-snyk-appsec-blue

2. Februar 2023

0 Min. Lesezeit

Regardless of how last year went, a few things probably come to mind that you’d like to leave in 2022. Maybe it’s a bad habit you’d like to drop or a mindset you’d like to change. But speaking of ditching bad habits, some poor cloud application security practices shouldn’t carry over to 2023 either! 

The app development world is constantly changing. From continued reliance on cloud ecosystems to increased conversation around software supply chain security, 2023 already promises to be full of change for development and security teams alike. But these fast-paced changes mean that some of the most tried-and-true security practices of the past will undoubtedly become as dated as a Nokia flip phone. With that said, here are four examples of bad security habits that are “so last year” and some better alternatives to adopt in 2023:

1. Not including developers in the cloud security conversation

Who’s really in charge of your organization’s cloud security? Our 2022 State of Cloud Security report found that different respondents at the same organization had conflicting answers to this question!

This ownership discrepancy is probably due to the shift left paradigm in today’s application security practices, which has forced cloud engineers, IT, and infosec teams to implement cloud security earlier in the software development process than ever before. And none of these teams fully comprehend these early stages, making it difficult to secure their cloud environments effectively or even understand each others’ security efforts. But, the developers themselves know the most about these early stages of the SDLC. The first half of a development pipeline is their territory, so they need to be included in these shift left cloud security efforts. 

Best practice: Adopt a developer-first approach to cloud security. 

The developers themselves know the most about the early stages of the SDLC, so they need to be included in these shift left cloud security efforts. 

Do this by using a centralized toolkit for cloud sec that developers, security teams, IT teams, and cloud architects can reference. This keeps all teams on the same page, preventing duplicate or discrepant work. It’s also important to use a solution that provides clear remediation suggestions, making it as frictionless as possible for developers to fix vulnerabilities within their own projects

2. Ignoring security tool sprawl

More and more organizations are prioritizing cloud application security practices. But, they often do so by tacking on more and more security tools. As we enter 2023, these tech stacks are becoming sprawling and difficult to manage — wasting time, creating bottlenecks, and misusing security resources. 

Best practice: Consolidate your security stack. 

Your teams will thank you! Fewer tools mean less time learning new interfaces, fewer context switches, and reduced costs. Better yet, facilitate cloud application security best practices with versatile solutions that can tackle several elements at once (e.g., cloud infrastructure, source code, etc., with a single tool).

3. Keeping IaC and cloud security separate

Have you ever turned on your TV and ended up watching part of a random movie? Without the full context, there’s a good chance you didn’t understand some parts of the plotline. It’s similar when teams attempt to put cloud security measures into place without considering infrastructure as cloud (IaC). They miss the full context of every vulnerability and misconfiguration!

Best practice: Connect the dots between your IaC and cloud security efforts. 

By uniting your cloud security efforts with your IaC, you’ll bring full context to every security alert, expedite the remediation process, and minimize noise for your development and security teams. In addition, a unified front for IaC and cloud security means that your cloud security experts only have to manage one central policy engine, which can then be used across the organization.

4. Creating SBOMs manually

Another cloud application security practice for organizations to ditch in 2023: flying blind without a clear understanding of what’s inside their software and which level of risk each component brings. Hypothetically, this problem is solved by creating a comprehensive software bill of materials (SBOM), but this is much easier said than done. Creating an up-to-date SBOM is a moving target, as any given developer can pull an open source library or container base image, then plug it into an app within seconds.

Even if an organization manages to document all of those moving parts, SBOMs fall short if they’re difficult to use. Security and development teams need to be able to navigate the SBOM and use it to remediate vulnerabilities. Otherwise, it’s an incomplete approach

Best practice: Use tools that automate aspects of the SBOM building process. 

Search for specialized tools that can expedite the SBOM-creation process. As of October 2022, Snyk offers three options for building an SBOM and checking it for vulnerabilities: a free web tool, an open source project, and an API integration for your native CLI. 

Make 2023 your security program’s best year yet! 

As you and your teams think through ways to adopt these cloud application security best practices, start by seeing where you’re at now.

You can use our Application Security in 2023 quiz as a litmus test!

In addition, we can partner with your team in setting some security-related New Year’s resolutions. Snyk provides a developer-first platform for securing your proprietary code, open source dependencies, containers, and cloud infrastructure from a single location. Learn about some of the newest additions to our developer security platform that we’re especially excited about in 2023.

blog-hero-snyk-appsec-blue

Sie möchten Snyk in Aktion erleben?

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.