3 Things to Know About AppSec in Europe

The European Union has made significant upgrades to its cybersecurity framework in response to critical infrastructure threats. In order to make Europe a safe place to live and work, the Network and Information Security Directive 2 (NIS 2.0) aims to bolster cybersecurity by replacing the original NIS passed in 2016. NIS 2.0 is expanding its coverage to include more sectors and increasing baseline security measures to guard against ever more sophisticated cyber-attacks. 

Malicious actors continue to pose threats to governments and businesses worldwide. Some of the major breaches of late 2022 included: 

• A third-party attack resulted in the release of the personally identifiable information of over 77,000 Uber employees was leaked, marking the second major Uber breach in four months. 
• A hacker released data on over five million Twitter users after they exploited an API vulnerability to steal users’ personal information. 
• A misconfigured endpoint caused over 2.4 terabytes of data on Microsoft accounts to be exposed. 

Top 3 Application Security Best Practices for EU Developers

The following app sec best practices will help you mitigate the most common cybersecurity threats: 

Input Validation

Input validation involves checking that the data received by a program meets specific requirements before it is used. Input validation can be an effective way to prevent various security risks, including injection attacks, such as SQL injection, cross-site scripting (XSS), and command injection.

You should validate all input, both from external sources, such as user input, and internal sources, such as data from a database or another system. Here are some of the measures you should implement for input validation: 

• Validate input as early as possible so you can reject invalid inputs immediately and not waste resources on further processing.
• Use whitelisting to conserve resources by creating a list of valid inputs and only allowing those. This is more secure than blacklisting, as it is easier to overlook a type of invalid input.
• Validate input type to ensure the data received is correct for its intended purpose. 
• Validate input format to ensure the data received is in the correct format. 
• Sanitize input by removing any special characters or code from user input so it can’t be used to inject malicious code.
• Use prepared statements with placeholders when inserting user input into a database to protect against SQL injection attacks.
• Set maximum lengths for input fields to prevent large amounts of data from being sent to the server.
• Test your input validation code thoroughly to ensure it’s working correctly to catch invalid input.

Access Control

With the rise in remote work and cloud computing, endpoint attacks such as the one on Microsoft are occurring more frequently. Implementing access control can help thwart these types of attacks. Zero-trust principles should guide your access control implementation:

• • Use least privilege by only granting access to the resources and permissions that are necessary for users to complete their tasks. 
  • Use strong, unique passwords to help prevent unauthorized access and train people using your systems to set strong passwords. 
  • Implement two-factor authentication to add an extra layer of security by requiring users to provide an additional piece of information before logging in. 
  • Use access control lists (ACLs) to specify which users or groups have access to specific resources.
  • Regularly monitor access and activity on your systems, and be alert for any unusual or unauthorized activity.
  • Encrypt sensitive data to protect it from unauthorized access, both in transit and at rest.
  • Stay current with the latest security patches and updates to help protect against known vulnerabilities.

Code Security

Code security helps protect systems, networks, and data from attack, damage, or unauthorized access. When your code isn’t secure, it can be exploited by hackers and cybercriminals to gain access to sensitive information, disrupt services, or cause harm to individuals or organizations.

Hardening your apps with code security protects the integrity and reliability of your systems. You can do this by: 

• Using secure coding practices like input validation, sanitizing user input, and using only secure libraries and frameworks
• Keeping your code up to date with the latest security patches and updates
• Using version control to track changes to your code and roll back any changes that introduce vulnerabilities
• Using testing to catch vulnerabilities early and use code review to catch any issues that may have been missed
• Using secure channels, such as SSL/TLS, to communicate between systems and protect data in transit
• Using tools like static analysis, dynamic analysis, and penetration testing to identify vulnerabilities in your code

Trends for 2023 in Cybersecurity

Given the continual and unrelenting nature of cybersecurity attacks, there are several new and continuing trends you should expect to see in 2023, including: 

Greater Regulatory Pressure

In line with the EU’s NIS 2.0 directive, you should expect to see increasing regulatory and data privacy measures. In the U.S., 40 states have recently passed or are considering legislation dealing with cybersecurity. At the federal level, President Biden signed a law that mandates reporting critical infrastructure cybersecurity events. 

Increased Use of Threat Detection Tools

It’s a matter of when — not if — a cybersecurity attack will occur, so you can expect to see an increased use of threat detection and response tools. Code security tools like Kiuwan’s security solutions incorporate security from the earliest stages of the DevOps process. These tools notify you of possible vulnerabilities early on so you can respond quickly. 

Rise in Third-party Risk Management 

Many breaches occur as a result of third-party vulnerabilities. Smaller supply-chain organizations often don’t have the cybersecurity protections that larger organizations do, despite having access to the same information. Hackers can attack smaller companies and gain access to upstream organizations. Third-party code poses similar risks when developers include it in their applications. Since almost all applications include some element of third-party code, this is a widespread vulnerability. Using a tool such as Kiuwan Insights Open-Source can help mitigate the risks associated with third-party code. 

Next Steps in Appsec 

With new regulations being adopted internationally and cyber threats increasing, cybersecurity should be a top priority for all developers. Kiuwan’s end-to-end application security platform helps secure your code throughout the development process.

Our products provide SAST, SCA, and QA to help you comply with all stringent security standards and industry regulations, including the latest NIS 2.0 guidelines. Reach out today for a trial to see how we can help you mitigate security risks.