Article published in TechBeacon by Dennis Hurst, President and Founder of Saltworks Security – Orasi’s joint-venture.
Application security is an essential component of your application development and secure DevOps practices. It involves assessing, monitoring, finding, fixing, and enhancing the overall security and integrity of applications and covers a range of technical elements (hardware, network misconfigurations, software flaws, consistent testing, attack response, and more).
As businesses race to the cloud and quickly build applications with hybrid teams, exposure to vulnerabilities makes app sec an even greater IT focus. Cloud-jacking is emerging as a dominant cybersecurity threat, and 2020 saw more enterprises betting on cloud computing. Cloud misconfiguration is increasing as a challenge and was noted as the driver for most incidents in the Sophos 2020 Threat Report.
Also, with an increased dependence on application programming interfaces, API-based breaches are more prevalent. Imperva found that API security readiness typically lags behind web app security across many organizations. More than two-thirds of organizations surveyed readily make APIs available to the public when they allow external developers and partners to tap into app ecosystems and software platforms, which significantly increases threats. Add in new pandemic-induced work-from-anywhere remote-work models and enterprise software and cloud applications used for hybrid teams, and you have yet another opportunity for critical-class bugs.
It’s obvious why app sec is demanding more of IT’s budget. Organizations are finally realizing the need to put sufficient attention, investment and innovation into app sec, so applications being built can empower businesses, not weaken them.
Sonatype’s DevSecOps survey found in 2020 that mature DevOps practices are causally related to good security practices—they grow in relation to each other. The faster companies accept DevSecOps as a way of development life, the more app dev teams will be doing to truly support their organization.
To securely build end-to-end, world-class app sec programs and lay the foundation to avoid pitfalls, app dev teams must first accept these DevSecOps realities, then be aware of the pitfalls that will come along the way.
Application vulnerability is critical to data security
Integrating security from the outset will be the expected baseline for all software development initiatives, especially given the increase of open source.
Containerization will make the move to cloud and hybrid faster, easier, and safer
Leveraging containers will dramatically improve software delivery speed, platform independence, resource utilization and process reliability, as well as provide the flexibility and pipeline velocity required to meet new business expectations.
Adherence to DevSecOps requirements must be integrated into team performance metrics
Companies should hold IT and business teams accountable for how well security is integrated into app dev, and aim to reduce the cost per bug factor to the smallest ratio possible.
Transparency, communication, and security are a trifecta for a quality CSO. CSOs must require that transparency, communication, and security be the three foundational pillars of DevSecOps to ensure security is included in every aspect of software development.
Now, what your teams needs to know to avoid pitfalls:
It has to start on day one.
IT teams now see the value of integrating app sec practices into DevOps from day one of an application’s development. DevSecOps ensures continuous application delivery/performance, an ability to safely operate in hybrid environments, the training of distributed teams amid a pandemic, and an overall focus on how DevOps drives business value with security top of mind.
DevSecOps automates secure, repeatable app sec processes into DevOps and cloud (the technology and services to speed/enhance app dev, processes and efficiency). Success in doing so supports IT’s ability to achieve enterprise transformation goals set as part of 2021 technology initiatives.
Internal obstacles are just as dangerous as external hackers
Over the past 18 months, constant change and uncertainty have been the enterprise norm. However, app dev teams are still being held to task to, very quickly, produce high-quality, secure applications that stand the test of time (and pandemics). Although that pressure is warranted, given the importance of software development, progressive IT teams are mindful of the following challenges that surface for DevSecOps initiatives:
Lack of buy-in
Even the best app sec tools and technologies are useless unless the development teams are willing to use them daily. This can be difficult if the proper education and training foundation hasn’t been set. Developers are often unclear on what it means to build or test an application for security, which causes too great a reliance on scanning tools. The solution is about finding positive ways to help them achieve better coding practices, such as comprehensive developer training and standing up app sec tools to be usable/practical through strategic process integration.
A ‘security for security’s sake’ attitude
There’s no “I” in “app sec.” Making decisions based on security for security’s sake, rather than for the greater good of the app and its developers, is risky. Secure development processes go beyond the obvious benefits of protecting the application from harm: they empower teams to implement good, clean DevOps and agile practices throughout the software development lifecycle.
Containerization is another beneficial security practice to consider and helps companies migrate to the cloud. The solution is to get buy-in from other enterprise decision makers by framing app sec as a practice that benefits the company holistically and allows it to innovate faster.
Nonexistent accountability
App sec today holds IT and business teams accountable for security integration. Secure coding and functionality are seen as paramount to elegance, as the software development industry grows. The solution involves setting team expectations about DevSecOps and enforcing the shift to considering security a mandatory performance metric to individual, group, and organizational success.
Zero communication
Every stage of development can introduce new security vulnerabilities, with each phase seemingly requiring a different approach or tool to resolve. Complicating matters, every development team’s programming languages, development lifecycles, and task management systems are different, making the list of app sec tools seem even more daunting.
Successful CISOs prioritize transparency and communication and look for connections between business units as they work to address app sec realities. It’s just as important to find and implement the right processes as it is to find the right technologies. The solution is to open the lines of communication when adopting processes, and implementing those that take a holistic, transparent look across the enterprise (rather than boxing business units into silos).
Random tool slinging
Every business unit has unique needs and challenges. An app sec partner worth its salt is knowledgeable about current practices and finds solutions based on what each team needs. Prescribing generic, cookie-cutter approaches disrupts app dev, frustrates engineers, and creates friction between teams. The solution is to find an app sec partner that holds app dev in as high regard as the organization.
When going slow is not an option
The development landscape in 2021 and beyond requires companies to take a secure, continuous, iterative approach. Without a thorough app sec plan, security will hamper efficiency in agile and DevOps and interfere with critical go-live deadlines—and that’s not an option in a fast-paced business environment.
Picking the right application security partner comes down to more than dollars and cents. IT teams need to be forthcoming and ask partners about their commitment to working in alignment with an organization’s security goals (at both a micro and macro business level). Smart CSOs know that if you’re not able to manage DevSecOps, the initiative is more likely to fail.
Keep learning
- Understand the app sec landscape with TechBeacon’s Guide to Application Security Tools 2021.
- Get your team up to speed with top app sec trends in this webinar.
- Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
- Understand the five reasons why API security needs access management.
- Get up to speed fast with TechBeacon’s Guide to App Sec Testing and Gartner’s Magic Quadrant for AST.
- Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
- Build a modern app sec foundation with TechBeacon’s Guide.