Security concerns regarding TikTok have brought about new restrictions on the app, which has now been banned from government devices tied to the White House, military services, Congress and various state governments.
Frank Catucci, chief technology officer and security research lead at Invicti Security, views the TikTok debate as just one portion of the wider application security conversation, which he discussed in a piece published to Federal News Network on Monday.
According to Invicti research, 86 percent of federal cybersecurity leaders faced breach activity connected to a web application over a recent one-year period. The TikTok issue, said Catucci, has shined a light on four areas that government information technology officials should consider to create a better method of application security scanning.
Both legacy systems and modern applications are vulnerable to application security risks. Due to the quick launch times of mobile applications, Catucci said that security scanning should be scalable and thorough across all applications.
Application programming interfaces are discreet endpoints that are often overlooked by simple security scans. This lack of oversight leaves gaps that threat actors can easily exploit, and application security scanning tools must be trained on the logic and behaviors of APIs to detect these vulnerabilities, Catucci wrote.
Least privileged access is another step federal agencies can take to manage their application security, said Catucci. He noted that the majority of applications request more permissions than they need, and recommended that these permissions be regulated.
Applications can also make connections to unnecessary outside services that may go unseen. Scanning products, Catucci said, must be programmed to identify these connections to prevent connections to insecure networks.
The best security scanning approaches, per Catucci, use a combination of dynamic and static application security testing and software composition analysis in one scan while including coverage for development and production ecosystems and web applications. These tools should also be Software-as-a-Service-based to swiftly adapt to face changing threats.