Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

// // //
5/17/2021
10:00 AM
Chen Gour-Arie
Chen Gour-Arie
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

Agility Broke AppSec. Now It's Going to Fix It.

Outnumbered 100 to 1 by developers, AppSec needs a new model of agility to catch up and protect everything that needs to be secured.

In today's high-tech industries, security is struggling to keep up with rapidly changing production systems and the chaos that agile development introduces into workflows. Application security (AppSec) teams are fighting an uphill battle to gain visibility and control over their environments. Rather than invest their time in critical activities, teams are overwhelmed by gaps in visibility and tools to govern the process. As a result, many digital services remain improperly protected. To catch up, AppSec must adopt a model of agility that is compatible with software development.

The Case for Agility
The agile process continuously integrates small changes and collects meaningful feedback along the way, allowing an ever-progressing evolution of software. With small steps, you pay less for mistakes and learn a lot along the way. This approach, powered by continuous integration/continuous development (CI/CD), source code management (SCM), and an amazing array of collaboration tools, makes the software industry fast and powerful.

Related Content:

More Companies Adopting DevOps & Agile for Security

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Debating Law Enforcement's Role in the Fight Against Cybercrime

AppSec teams are charged with making sure software is safe. Yet, as the industry's productivity multiplied, AppSec experienced shortages in resources to cover basics like penetration testing and threat modeling. The AppSec community developed useful methodologies and tools — but outnumbered 100 to 1 by developers, AppSec simply cannot cover it all.

Software security (like all software engineering) is a highly complex process built upon layers of time-consuming, detail-oriented tasks. To move forward, AppSec must develop its own approach to organize, prioritize, measure, and scale its activity.

What Would Agile AppSec Look Like?
Agile approaches and tools emerged from recognizing the limitations of longstanding approaches to software development. However, AppSec's differences mean it can't simply copy software development. For example, bringing automated testing into CI/CD might overlook significant things. First, every asset delivered outside CI/CD will remain untested and require alternative AppSec processes, potentially leading to unmanaged risk and shadow assets. Second, when developers question the quality of a report, it creates friction between engineers and security, jeopardizing healthy cooperation. This applies to every aspect of AppSec, not just testing.

We need to dig deeper, examine the tenets of agility, and define an approach that overcomes limitations and helps master the chaos.

1. Stakeholders, Deliverables, and Sustainability
AppSec teams' attention is required at all layers of engineering, which often creates bottlenecks, even for teams with a clear focus. This motivates organizations to delegate security tasks to developers. Since AppSec is a resource-consuming discipline, delegating tasks is key to success. However, many organizations struggle with the complexity of ownership in AppSec. For example, automated security tools are merely guests in CI/CD and have varying levels of acceptance among developers, so things may fall between the cracks.

Furthermore, AppSec's role includes directing the organization strategically. As maturity-focused initiatives like BSIMM and SAMM argue, collecting the right data and publishing it to the right stakeholders promotes security simultaneously from the bottom up and the top down.

To become agile, AppSec must own measurement and governance while delivering services in a way that encourages developers to pull security to the left. AppSec agility requires breaking dependencies in anything related to posture measurement and governance and establishing sustainable, independent operations that set their own strategy and tactics.

2. Discovering Requirements
The potential disruption caused by releasing new software in enterprises encourages product teams to avoid assumptions and learn what works for users; there's a constant journey to discover requirements. While security requirements are clear on paper, with software proliferating so quickly, governance of the process becomes aspirational for most teams.

With regulatory and industry standards continuously evolving, AppSec must develop a rapidly agile ability to define the organization's security priorities.

3. People, Processes, and Tools
Agile development requires the cooperation of motivated and empowered individuals. The tools that helped development outpace AppSec, such as Git for working simultaneously on code, Jira for tracking complex plans, and Jenkins for optimizing and standardizing build, test, and deploy, are instrumental to agility. They allow users to invest less on peripheral tasks and move faster while benefiting from the insightful data they hold.

While there is no replacement for having a professional security architect, a razor-sharp pen tester, and a properly armed bug hunter, there is great promise in automated security testing and runtime protection. Instrumental to AppSec agility are systems that reduce menial tasks and utilize data from one activity to make another more effective.

Better, scalable AppSec requires better intel collection, measurement metrics, and orchestration. Teams must be able to allocate their talent well, using prescriptive metrics to guide prioritization. AppSec teams should be able to immediately know what assets they are protecting and which are most important. By making more security services accessible to the organization and providing leadership with actionable measurements, teams will be able to embrace systematic processes such as validated learning and lead their organization to maturity.

From Agile to Mature
The time has come for AppSec to operate at the level of the field it protects. This is the only way for AppSec teams to effectively do their job while providing the speedy production that keeps boards happy. AppSec teams deserve clearer workflows, more automation, and true visibility. Software engineers have learned to master machines and make them our friends. It is high time that application security did the same. Frankly, it can no longer afford not to.

Chen Gour-Arie is the Chief Architect and Co-Founder of Enso Security. With over 15 years of hands-on experience in cybersecurity and software development, Chen demonstrably bolstered the software security of dozens of global enterprise organizations across multiple industry ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-0560
PUBLISHED: 2023-01-28
A vulnerability, which was classified as critical, has been found in SourceCodester Online Tours & Travels Management System 1.0. This issue affects some unknown processing of the file admin/practice_pdf.php. The manipulation of the argument id leads to sql injection. The attack may be initiated...
CVE-2023-0561
PUBLISHED: 2023-01-28
A vulnerability, which was classified as critical, was found in SourceCodester Online Tours & Travels Management System 1.0. Affected is an unknown function of the file /user/s.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The expl...
CVE-2023-23628
PUBLISHED: 2023-01-28
Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the sett...
CVE-2023-23629
PUBLISHED: 2023-01-28
Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard...
CVE-2023-23616
PUBLISHED: 2023-01-28
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, when submitting a membership request, there is no character limit for the reason provided with the request. This could potentially allow a user to...