Here is how you can not only align application security with development cycles, but turn it into a holistic corporate culture
Every modern business is a software business, so software is a big business risk. And as organizations look for ways to decrease their vulnerability to security breaches, many are putting the burden on the shoulders of software development teams to resolve all security issues, or they are simply buying security software and trusting it to address risk.
However, the fact is, a holistic approach to application security (AppSec) is the better approach to securing the organization and its software. What does it means to build a holistic AppSec program?
A holistic approach involves:
- Understanding internal and external threats and risks
- Building a strong foundation for the AppSec program
- Maximizing the AppSec tools
A terrifying threat landscape
Organizations using software live in a constant threat state. More complexity, shorter development cycles, and the interconnectedness and always-on nature of software give hackers a continuously available tech surface to try to exploit.
For open source software, it can be days, months, or years between the time a vulnerability is introduced and when it is discovered. For non-open source software, developers only learn about a vulnerability when the latter gets exploited.
In this era of terrifying cyber threats, securing software takes more than just tools—it requires prioritizing security and managing it proactively. That means:
- Aligning people, processes, and technology to address security risks based on an organization’s unique policies and business objectives
- Bearing in mind that while we focus on the technology and tools, we must not forget the processes when in fact the tools exist mainly to complement the processes
- Not focusing only on one point of the software development life cycle but to consider the whole software life cycle. Place security at each and every step of the development process, including coding, building, testing, release, deployment, monitoring, and so on
Building an AppSec culture
Traditional methods of security slow down DevOps velocity, and large AppSec testing tools can congest the build, test, and release pipelines.
More security tools means more testing, which means more findings that must be correlated, deduplicated, and prioritized to ensure that developers are not overwhelmed with data and unable to focus on the security issues that matter most.
Conversely, a true AppSec culture is one in which people, processes, and technologies are aligned to minimize risk and transform the organization via a shared culture, not just in the IT or development teams.
A comprehensive AppSec culture includes security champions, metrics, planning, a DevSecOps maturity framework, integrated DevSecOps, and training:
- Security champions
These security-minded employees on the IT or development team have expertise in security and want to take ownership of the AppSec process by helping enforce that process throughout the development lifecycle. Security champions also educate development teams on best practices and keep themselves informed of current vulnerabilities and threats for software used in the organization, and internally track vulnerabilities and issues across teams.
- Metrics
A key step is developing a measuring stick to understand how existing processes are working, and where they can benefit from improvement or additional resources or budget. If you do not know where you are at right now, you will not know what you need to develop or invest in for the future.
- Planning
Build an actionable security plan based on your organization’s policies. A security plan is a living document: it will evolve and mature over time, as teams discover more about the people, processes, and technologies involved, and as deficits as unearthed. Any plan is good as long as it works, and then a new one can be created or updated, based on the following:
- Build consensus for objectives
- Determine current state of secure software development lifecycles
- Identify the target state
- Define the budget and the path forward
- DevSecOps maturity
Key to a robust, holistic AppSec program is establishing a DevSecOps maturity framework. That means defining governance and processes, creating a secure design and architecture, and having all processes function within this framework. Then you can identify what tools are deployed in every step of DevSecOps and compare it to the plan.
- Integrated DevSecOps
Integrate AppSec naturally in the organization and at every phase of software development.
- Training
It is vital to train employees so they know how to handle DevSecOps tools. Using a tool incorrectly is as bad as not having a tool at all.
Intelligent, policy-driven DevSecOps
Without the right tools, it is not possible for a security program to be successful. So, to build truly secure software, test at the right time and the right level. However, tools alone are not enough. Development teams need to centralize everything into a holistic view and integrate feedback from an organization’s security tools. This will enable development teams to prioritize tickets, track remediation, and provide actionable insights.