A CISO’s Guide To Application Security – Part 1: Defining AppSec

Editor’s Note: This post is the first in a multi-part series on Application Security, or “AppSec” prepared by our friends over at application testing firm Veracode. The series will define the components of a sound AppSec program, delineate the growing threats to software, weigh the costs of a data breach, and outline the CISO’s responsibility in managing software security risk. Taken together, they are a primer on AppSec best practices that will help organizations build the business case for further investment in this critical IT security discipline.by Fergal Glynn, Veracode Inc.

Editor’s Note: This post is the first in a multi-part series on Application Security, or “AppSec” prepared by our friends over at application testing firm Veracode. The series will define the components of a sound AppSec program, delineate the growing threats to software, weigh the costs of a data breach, and outline the CISO’s responsibility in managing software security risk. Taken together, they are a primer on AppSec best practices that will help organizations build the business case for further investment in this critical IT security discipline.

Fergal GlynnThe practice of Application Security, or “AppSec” for short, protects an organization’s critical data from external threats by ensuring the security of all of the software used to run the business. Just as Quality Assurance (QA) is the operational solution to the problem of product quality, AppSec is the operational solution to the problem of software risk. AppSec helps identify, fix and prevent security vulnerabilities in any kind of software application – no matter the function, language or platform.

Before we talk about application security, however, its important to first understand what we mean when we refer to the term “software vulnerability.” A software vulnerability can be defined as a programmatic function that processes critical data in an insecure way. These “holes” in an application can be exploited by a hacker, spy or cybercriminal as an entry point to steal sensitive, protected or confidential data.

A number of respected information security research groups publish guidance on common insecure programming errors to avoid. Two of themost respected are the SANS “Top 25” and theOWASP “Top 10”. Both organizations prioritize vulnerabilities where the application insecurely sends/receives data, improperly manages system resources, or ignores standard defensive techniques.

As a best practice, AppSec employs proactive, preventative methods to manage software risk and align an organization’s security investments with the reality of today’s threats. It has three distinct elements:

1)     Measurable reduction of risk in existing applications

2)     Prevention of introduction of new risks

3)     Ensuring compliance with software security mandates

Because the severity and frequency of cyber attacks are exploding, the practice of AppSec is only growing in importance. And, because the variety of business software continues to proliferate, AppSec as a discipline is also becoming more complex. Here are some of the reasons why (and see if these sound familiar):

  • Today’s enterprise software comes from a variety of sources – in-house development teams, commercial vendors, outsourced solution providers, and open source projects.
  • Software developers have an endless choice of programming languages to choose from – Java, .NET, C++, PHP, and more.
  • Applications can be deployed across myriad platforms – installed to operate locally, over virtual servers and networks, accessed as a service in the cloud, or running on mobile devices.

Because each of these development and deployment options can introduce security vulnerabilities, AppSec products must provide capabilities for managing security risk across all of these options. In a future post in this series, we’ll talk about ways that CISOs can codifyAppSec practices into a formal program – or Center of Excellence – that unites people, processes and technology. For now, it’s only important to understand that an effective software security strategy addresses both immediate and systemic risk.

The Application Security market has reached sufficient maturity to allow organizations of all sizes to follow a well-established roadmap:

Begin with software security testing to find and assess potential vulnerabilities

  • Follow remediation procedures to prioritize and fix them
  • Train developers on secure coding practices
  • Leverage ongoing threat intelligence to keep up-to-date
  • Develop continuous methods to secure applications throughout the development life cycle
  • Instantiate policies and procedures that instill good governance

Testing and remediation form the baseline response to insecure applications. But the critical element of a successful AppSec effort is ongoing developer training. Security-conscious development teams write bulletproof code, and avoid common errors. Take, for example, data input validation –the process of ensuring that a program operates with clean, correct and useful data. Neglecting this important step, and failing to build in standard input validation rules or “check routines” leaves the application open to common attacks such as cross-site scripting and SQL injection.

When undertaken correctly, Application Security is an orderly process of reducing the risks associated with developing and running business-critical software. Properly managed, a good application security program will move your organization from a state of unmanaged risk and reactive security to effective, proactive risk mitigation.

In our next post, we’ll examine the growing threats targeting business applications from hacks, attacks and malware.

If you want to learn more, check out Veracode’s Webcasts on Application Security Fundamentals and Next Generation Application Security & Intelligence.

Suggested articles