This post is the third in a 4-part series on Application Security, or “AppSec”. The series will define the components of a sound AppSec program, delineate the growing threats to software, weigh the costs of a data breach, and outline the CISO’s responsibility in managing software security risk. Taken together, they are a primer on AppSec best practices that will help organizations build the business case for further investment in this critical IT security discipline.
This series began with a general definition of Application Security (“AppSec”) as a fundamental infosec practice that addresses the reduction of both immediate and systemic software risk. When undertaken correctly, AppSec takes a systematic, programmatic approach to hardening business-critical software, from the inside. That’s not to say that organizations must over-invest in an advanced program from the start to be effective – in fact, quite the opposite.
It’s easy for organizations of any size to get started with AppSec. In fact, there is a well-established evolutionary curve that practitioners follow as they progress and mature their AppSec processes, technology, and indeed their teams as well. The simplest framework to establish programs and policies addresses (and continuously improves) these basic steps: identification of vulnerabilities, assessment of risk, fixing flaws, learning from mistakes, and managing future development better.
The Application Security market has reached sufficient maturity to allow IT management to follow a well-established series of actions to build and scale a program. While the actual progression is more fluid and may contain multiple phases, for the purposes of clarity let’s examine three primary stages of AppSec: Ad-hoc, Baseline Program and Advanced Program.
- Construction – Initial investment in reactive technologies such as Intrusion Detection Systems and Web Application Firewalls that block active, incoming attacks
- Testing – Software development teams typically start with periodic manual penetration (PEN) testing, but progress rapidly to automated static testing (SAST) of software still in development, then to dynamic testing (DAST) of production applications
- Remediation – Basic triage of test results to fix only the most egregious software flaws, in priority order
- Reporting – Externally driven by industry-specific compliance bodies, according to audit requirements
- Policy – No formal policies, reactive
- Portfolio coverage – Protect only internally developed software to start, but complete an application inventory
- Construction – Initiate investment in basic software developer training, plus add threat modeling and ongoing threat intelligence to anticipate specific attacks, understand harmful impacts, and define countermeasures in advance
- Testing – Combine PEN, SAST and DAST into a hybrid testing regimen
- Remediation – Track processes in an Integrated Development Environment, including a flaw repository with role-based access and validation of bug fixes
- Reporting – Software teams earn formal certification in secure development techniques
- Policy – Defined, according to a Software Development LifeCycle (SDLC) model, with proactive monitoring and incident response
- Portfolio coverage – Extend to third-party applications, such as commercial vendor, open source and outsourced development
ADVANCED PROGRAM – an AppSec “Center of Excellence”
- Construction – Include secure architecture and design practices protecting all applications, with accountability across security, operations and development teams
- Testing – Continual process improvement of testing regimens
- Remediation – Integrate training into development processes, including software change management and scheduled “security gates” for regular re-testing
- Reporting – Gain insight from multiple analytics tracking critical KPIs and benchmarking against industry standards, with independent verification
- Policy – Codify formal governance, risk and compliance management with executive support and policy enforcement, including a cross-functional security committee and contractual requirements of all third parties
- Portfolio coverage – Scale to protect each and every app (including mobile) under formal vendor management approach
An advanced AppSec program should be a critical component of your organization’s overall information management architecture, and ultimately plays an integral role in business continuity. It is critical to get started on your journey even at a basic level of software protection, but then to rapidly progress beyond ad hoc approaches to a framework for continuous development of effective controls and enforceable policies. To ignore this critical aspect of information security leaves your organization at risk of failed regulatory audits – at best – and at worst exposed to possible business interruption, financial losses and liability due to a crippling security breach.
In our next post in this AppSec 101 series, we’ll examine the various security technologies competing for investment in a CISO’s risk management strategy.
- Research: Building Security In Maturity Model (BSIMM3) project
- White Paper: Policy-Driven Software Security from Ad-Hoc Testing to a Programmatic Approach
- A CISO’s Guide To Application Security – Part 1: Defining AppSec