Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

5/17/2021
10:00 AM
Chen Gour-Arie
Chen Gour-Arie
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Agility Broke AppSec. Now It's Going to Fix It.

Outnumbered 100 to 1 by developers, AppSec needs a new model of agility to catch up and protect everything that needs to be secured.

In today's high-tech industries, security is struggling to keep up with rapidly changing production systems and the chaos that agile development introduces into workflows. Application security (AppSec) teams are fighting an uphill battle to gain visibility and control over their environments. Rather than invest their time in critical activities, teams are overwhelmed by gaps in visibility and tools to govern the process. As a result, many digital services remain improperly protected. To catch up, AppSec must adopt a model of agility that is compatible with software development.

The Case for Agility
The agile process continuously integrates small changes and collects meaningful feedback along the way, allowing an ever-progressing evolution of software. With small steps, you pay less for mistakes and learn a lot along the way. This approach, powered by continuous integration/continuous development (CI/CD), source code management (SCM), and an amazing array of collaboration tools, makes the software industry fast and powerful.

Related Content:

More Companies Adopting DevOps & Agile for Security

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Debating Law Enforcement's Role in the Fight Against Cybercrime

AppSec teams are charged with making sure software is safe. Yet, as the industry's productivity multiplied, AppSec experienced shortages in resources to cover basics like penetration testing and threat modeling. The AppSec community developed useful methodologies and tools — but outnumbered 100 to 1 by developers, AppSec simply cannot cover it all.

Software security (like all software engineering) is a highly complex process built upon layers of time-consuming, detail-oriented tasks. To move forward, AppSec must develop its own approach to organize, prioritize, measure, and scale its activity.

What Would Agile AppSec Look Like?
Agile approaches and tools emerged from recognizing the limitations of longstanding approaches to software development. However, AppSec's differences mean it can't simply copy software development. For example, bringing automated testing into CI/CD might overlook significant things. First, every asset delivered outside CI/CD will remain untested and require alternative AppSec processes, potentially leading to unmanaged risk and shadow assets. Second, when developers question the quality of a report, it creates friction between engineers and security, jeopardizing healthy cooperation. This applies to every aspect of AppSec, not just testing.

We need to dig deeper, examine the tenets of agility, and define an approach that overcomes limitations and helps master the chaos.

1. Stakeholders, Deliverables, and Sustainability
AppSec teams' attention is required at all layers of engineering, which often creates bottlenecks, even for teams with a clear focus. This motivates organizations to delegate security tasks to developers. Since AppSec is a resource-consuming discipline, delegating tasks is key to success. However, many organizations struggle with the complexity of ownership in AppSec. For example, automated security tools are merely guests in CI/CD and have varying levels of acceptance among developers, so things may fall between the cracks.

Furthermore, AppSec's role includes directing the organization strategically. As maturity-focused initiatives like BSIMM and SAMM argue, collecting the right data and publishing it to the right stakeholders promotes security simultaneously from the bottom up and the top down.

To become agile, AppSec must own measurement and governance while delivering services in a way that encourages developers to pull security to the left. AppSec agility requires breaking dependencies in anything related to posture measurement and governance and establishing sustainable, independent operations that set their own strategy and tactics.

2. Discovering Requirements
The potential disruption caused by releasing new software in enterprises encourages product teams to avoid assumptions and learn what works for users; there's a constant journey to discover requirements. While security requirements are clear on paper, with software proliferating so quickly, governance of the process becomes aspirational for most teams.

With regulatory and industry standards continuously evolving, AppSec must develop a rapidly agile ability to define the organization's security priorities.

3. People, Processes, and Tools
Agile development requires the cooperation of motivated and empowered individuals. The tools that helped development outpace AppSec, such as Git for working simultaneously on code, Jira for tracking complex plans, and Jenkins for optimizing and standardizing build, test, and deploy, are instrumental to agility. They allow users to invest less on peripheral tasks and move faster while benefiting from the insightful data they hold.

While there is no replacement for having a professional security architect, a razor-sharp pen tester, and a properly armed bug hunter, there is great promise in automated security testing and runtime protection. Instrumental to AppSec agility are systems that reduce menial tasks and utilize data from one activity to make another more effective.

Better, scalable AppSec requires better intel collection, measurement metrics, and orchestration. Teams must be able to allocate their talent well, using prescriptive metrics to guide prioritization. AppSec teams should be able to immediately know what assets they are protecting and which are most important. By making more security services accessible to the organization and providing leadership with actionable measurements, teams will be able to embrace systematic processes such as validated learning and lead their organization to maturity.

From Agile to Mature
The time has come for AppSec to operate at the level of the field it protects. This is the only way for AppSec teams to effectively do their job while providing the speedy production that keeps boards happy. AppSec teams deserve clearer workflows, more automation, and true visibility. Software engineers have learned to master machines and make them our friends. It is high time that application security did the same. Frankly, it can no longer afford not to.

Chen Gour-Arie is the Chief Architect and Co-Founder of Enso Security. With over 15 years of hands-on experience in cybersecurity and software development, Chen demonstrably bolstered the software security of dozens of global enterprise organizations across multiple industry ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
CVE-2021-34067
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
CVE-2021-34068
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.