Application Security Essentials: What ITSM Pros Need to Know

As part of the large-scale move of business operations to the cloud, applications have become central to most companies’ success. They use SaaS applications to transmit, store, and process large amounts of sensitive data—from personally identifiable information (PII) to valuable intellectual property.

That means Application Security (AppSec) will loom ever larger in every IT Service Management (ITSM) portfolio.

ITSM provides a framework for managing and optimizing IT services aligned with business goals. Cybersecurity, which includes AppSec, involves implementing layers of defense, including firewalls and antivirus software, to mitigate the risk of threats.

You can’t tack security onto ITSM as an afterthought. Rather, you should make ample room to build security into the design of your ITSM solution. But when ITSM and cybersecurity come together harmoniously, it becomes a thing of beauty that will help companies of all sizes achieve their business goals.

We’ve outlined the issues around managing AppSec to show how you can use ITSM software to improve application security and bolster your company’s general security posture simultaneously.

Practical integration of ITSM frameworks

ITSM software provides a centralized platform to help businesses manage their IT needs. Well-known benefits are increased efficiency, improved communication and collaboration between different teams and departments in delivering IT services, and better knowledge sharing. These benefits all lead to better business outcomes.

However, one of ITSM’s most critical and increasingly prominent benefits is the potential for better risk management.

ITSMs make provision for processes to manage risks and minimize the impact of incidents and disruptions on IT services. A well-managed cybersecurity program has the same aims, albeit with a different focus.

Common aims of ITSM and cybersecurity teams

Both teams are familiar with addressing the continuous stream of issues coming in from users. In practice, the two disciplines share the need to:

• Limit the impact of issues and outages.
• Standardize operations with Standard Operating Procedures and checklists for preventative maintenance to minimize costly incidents.
• Maximize flexibility and scalability.
• Improve service quality to meet business needs and expectations. 
• Enhance efficiency and productivity by automating routine tasks and implementing workflows and self-help features.
• Streamline communication and improve collaboration between IT teams, security experts, users, and other stakeholders.

The importance of determining priorities

However, if you combine the two disciplines without properly considering some of the laser-focused functions of cybersecurity elements like AppSec, top priorities might clash. That’s why it’s essential to integrate ITSM and cybersecurity, including AppSec, by design.

It’s the best way to master the ability to prioritize the most urgent, dangerous, disruptive, or otherwise important incidents. By designing processes and solutions with a security-first approach, ITSM teams are better prepared to spot and handle or escalate incidents in the six key areas of cybersecurity. These are:

• Network security
• Endpoint security
• Mobile security
• Information security
• Cloud security for a company’s cloud-based services and assets, and
• Application security

The biggest threats to AppSec

Application security is a complex topic, but almost all organizations must deal with some of these commonly encountered AppSec problems, which are related to:

• Inherited vulnerabilities inherent in modern applications: These are due to entropy in a constantly changing software development environment. Most organizations have to deal with legacy code. It can be challenging to isolate vulnerabilities, and flaws may be impossible to fix with the newest security tools. Problems build up over time.
• The web app attack vector: Web applications and their misconfigured and forgotten APIs are a leading cause of data leaks. Many API breaches occur in businesses that are unaware that these interfaces exist. A security-first AppSec approach allows ITSM teams to identify the presence of APIs with their associated risks. 
• Third-party and open-source vulnerabilities: Open-source vulnerabilities have more than doubled since 2018, and software supply chain attacks are expected to triple by 2025. Since open-source code is used in more than 90% of all applications, there are glaring risks. External attackers can corrupt packages, but maintainers themselves could insert malicious code into packages. It’s impossible to catch all these vulnerabilities manually. You need automated tools to manage timely updates.
• Lack of a DevSecOps approach: Few organizations consistently follow application development security best practices. The urgency and pressure around modern software development may force teams to skip steps. This pressurized environment demands that we find a far more agile way to find and fix issues early in the development cycle. The “shift-left” DevSecOps approach addresses security-related issues in all app development phases as early as possible.
• Lack of development expertise: The demand for applications is high and continues to grow. It has led many new and inexperienced programmers to write web and mobile applications. They often lack the knowledge to spot and solve common security issues.
• Inefficient use of tools: Developers are under tremendous pressure to deliver. They regularly fail to use appropriate testing tools effectively. Some believe these tools slow the development process, failing to grasp the implications of problematic or poor code slipping through the cracks.
• AI has boosted attackers: These attacks are becoming more sophisticated, threatening traditional application security programs that often lag behind trends. AppSec is a complex discipline, and practitioners can fall out of sync with the larger security threat landscape.

The use of ITSM tools in assisting with AppSec

After listing AppSec’s main challenges, it becomes clear that ITSM software has matured into a black box toolset of helpful functions that can directly address many AppSec needs in business operations. For instance:

• ITSM APIs enable integration with other applications and systems, automating processes and workflows and streamlining data flow between systems. 
• ITSM webhooks can trigger actions in other systems to keep data in sync when specific events occur, for example, when a change request needs approval. 
• ITSM plugins can provide integrations with monitoring tools or asset management systems to simplify IT workflows and improve data accuracy. 
• ITSM data import/export functionality can enable data exchanges with other systems, for example, migrating data between different systems or integrating data from external sources.
• ITSM identity management systems can enable single sign-on (SSO) for users to simplify access management and improve security.

A new approach to AppSec 

AppSec must become more proactive and agile to overcome the discipline’s main challenges. When looking at the problem from an ITSM perspective, applying these eight fundamental principles will help practitioners formulate a much more secure AppSec approach:

Threat modeling

Threat modeling will help you identify vulnerabilities specific to the company’s industry or niche. Set objectives and define suitable countermeasures to mitigate or prevent threats. When deciding on privacy tools, it’s crucial to understand the differences between services like Apple Private Relay and traditional VPNs. If resources are limited, secure the most critical assets first rather than diluting your security assets across the organization

Asset tracking

Asset tracking is vital to maximizing visibility across the company. You can only protect what you know about—including those forgotten servers that keep popping up in tales of data breaches. Document what software runs in each app so you can patch and update at a moment’s notice. The Equifax breach is an excellent example of a lack of visibility that can have disastrous consequences. They didn’t know they were using a vulnerable Apache Struts component in their customer web portal, which led to a massive breach and a $700 million penalty because they failed to protect millions of their customer’s data.

Managing code libraries

Ensure you know the contents of your open source, understand how you use it, and monitor its storage. Use a continuously updated software bill of materials (SBOM) to stay ahead of new vulnerabilities and attacks. Restrict and track access to your code, software, and data. Regularly update all components and dependencies.

Shifting left

Shifting left forces teams to perform security scans early in the development cycle. When you put security in developers’ hands during development, you make fixing code much easier, faster, and cheaper. This is your opportunity to integrate the necessary tools at every step, from your code repositories and build servers to bug-tracking tools.

Developers should be able to address potential risks as soon as they arise. After months of development, you don’t want to release your company’s flagship app and then find out it can’t even pass a DNS leak examination. The most common application security categories are:

• Static Application Security Testing (SAST): Analyzes the application source files for root causes to detect code flaws. 
• Dynamic Application Security Testing (DAST): Proactive testing to identify exploitable flaws for applications in production. 
• Interactive Application Security Testing (IAST): IAST uses SAST and DAST elements to access the application’s code and components.
• Runtime Application Security Protection (RASP): RASP tools provide continuous security checks and automatic responses to possible breaches, e.g., terminating a suspicious session.
• Mobile Application Security Testing (MAST): Tests mobile-specific issues and security vulnerabilities, e.g., jailbreaking and data leakage from mobile devices.
• Web Application Firewall (WAF): Filters all HTTP traffic passing between the Internet and web applications. It’s part of a security stack against attacks such as cross-site scripting (XSS) or cross-site forgery (CSRF).
• Cloud-Native Application Protection Platform (CNAPP): Unifies various security tools and technologies, such as cloud security posture management (CSPM), identity management, and automation. It also orchestrates security for API discovery and container orchestration platforms like Kubernetes.

Using automation

Automation improves speed. Given the shortage of security professionals, automation can improve detection, triage, and response to possible threats. However, automation-based risks will significantly increase in the next decade as hackers adopt automation to create more advanced viruses, spyware, and ransomware. Consider automating your ITSM processes before you connect them to your security protocols to ensure that adding ITSM to the security system will not compromise your IT infrastructure.

Implementing good governance practices

Use your ITSM software to implement good governance practices. Develop processes and a good cybersecurity incident response plan and apply them consistently. Your ITSM software should allow you to review processes regularly and test response plans by running drills to ensure you are ready to address brand-new vulnerabilities and threats.

Managing privileges

Employ your central ITSM platform to manage privileges. Restrict user access to data and applications on a need-to-know basis. It’s a fundamental security best practice. Least-privilege access controls help prevent lateral movement inside networks. AI-based models can help identify suspicious activities.

Changing the company mindset

Instill a security-first culture throughout your teams and your organization. The human factor is ever-present, which means security is a collective effort. Every employee must apply best practices at the appropriate level. Heed the business’s goals and listen to the needs of all teams or departments.

For example, many countries have recently adopted data privacy bills. Consequently, ITSM and security teams should implement changes in collecting, storing, and utilizing unique consumer information, such as biometric and facial identification features.

Key takeaways

• Application Security (Appsec) is an essential aspect of IT Service Management (ITSM) portfolios, especially with the rise of cloud-based applications.
• Appsec problems include inherited vulnerabilities, web app attack vectors, and third-party and open-source vulnerabilities. Application security is fundamental to ensuring continued business stability.
• ITSM software provides a centralized platform to manage IT needs.
• ITSM and Cybersecurity teams have different focuses but many common aims, including limiting the impact of issues and outages, standardizing operations, enhancing efficiency, and improving service quality.
• Integrating ITSM and Cybersecurity, including Appsec, by design ensures better risk management and prioritization of incidents.

The way forward for ITSM-managed AppSec

Organizations face an ever-growing and rapidly evolving threat landscape that puts their sensitive data and critical systems at risk in the rapidly changing technology landscape. Pairing cybersecurity, and specifically AppSec measures, with an effective ITSM framework can create synergy and improve overall security posture.

Cybersecurity considerations should be integrated into incident management and other ITSM processes like access controls, training employees on cybersecurity best practices, and conducting regular cybersecurity audits to become more secure and efficient. By implementing these practices, businesses can enhance their overall security posture and achieve their business goals more effectively.