When you’re constantly reacting to suspicious alerts and fixing vulnerabilities only after they’ve been exploited, you’re missing the point of application security.
Application security, according to Wikipedia, “encompasses the measures taken throughout the code’s life-cycle to prevent gaps in the security policy of an application or the underlying vulnerabilities… of the application.” The practice of application security, at its core, exists solely to protect the data of an organization’s applications and, more importantly, the organization itself.
That’s why AppSec is so important: because it enables business to succeed without interruptions due to breaches, loss of data, slow remediation times, and countless other blunders. Without embedding application security practices throughout your organization, you’re allowing holes through which business can be disrupted.
If you’re always in reactive mode, reacting to past events and not working to fix the heart of the issues, your AppSec program will not succeed. Application Security demands a proactive approach.
Being proactive in your organization’s application security is the only way to get ahead of the hackers. With new exploits popping up and the major-breach-a-week environment we’re living in, it may seem like too big a task. But only once you’ve taken the steps necessary to having a proactive application security approach, will you truly be keeping your organization secure.
In that spirit, we’re sharing our Ten Commandments of Proactive Application Security to help get you where your organization’s security where it needs to go.
1. Thou shalt implement a secure SDLC
Having security touchpoints and milestones throughout your organization’s Software Development Life Cycle (SDLC) is one of the most proactive practices you can perform in security. With a secure SDLC, you’ll have a predictable and documented process in place, allowing you and your security team ample opportunity to find and fix issues as soon as they arise.
Embedding key application security activities and tools such as Static Application Security Testing (SAST) throughout the SDLC will help address code quality from the security teams perspective and allow issues and vulnerabilities to be addressed as soon as they arise. This not only gives your security team a jump on ensuring the application is secure before deployment, but also saves an incredible amount of money and manpower later down the line.
Consider the fact that security flaws can cost anywhere from 15-90% more when they’re found after integration or deployment than when discovered during design or coding. AppSec isn’t about fixing flaws one by one as they pop up. AppSec is about minimizing the application’s attack surface, and keeping both the time and financial cost of doing so down.
2. Thou shalt make security as SIMPLE as possible for the organization
Let’s say this again: security is a business enabler and should be approached as such. When security becomes a burden, it will quickly be swept to the side. It’s up to the security team to embed security in such a way that makes it easy for the rest of the company to get on board.
For developers, this means integrating application security into their existing code life-cycle processes – their IDEs, source repository, bug tracking, etc. Only security tools that can be easily approached by the developers will have a chance at adoption.
For the rest of the organization, enacting security controls that protect employees – while not slowing them down – are crucial to securing the sensitive information that each department deals with on a regular basis.
3. Thou shalt educate your developers
Application security will never be ‘finished’ at your organization, and neither should your work with the development team when it comes to secure coding and security awareness. For a proactive application security team, you need to get your developers on your side.
Developers don’t specialize in security because only recently has the full importance of the necessity of teaching programming hand in hand with security been realized.
What that means for you is that it’s up to you to educate your developers and to find ways to get them engaged with security. The disconnect between developers and security, Checkmarx CEO Maty Siman has said, “historically arose from common misunderstandings: programmers believe that security hinders their productivity, while security folks are frustrated that security is not at their top-of-mind.”
One of the most proactive ways to bridge the gap is to actually speak with your development team leaders and listen to their challenges and what interests them when it comes to security. Get their feedback on security training you’ve done in the past and recruit developers who seem genuinely interested in application security to help shape their AppSec education going forward.
Once your organization’s developers realize the value and importance of securing the code they work so hard to create, you’ll have one more team on your side in your proactive application security program.
For inspiration, check out OWASP’s extensive library of developer education presentations.
4. Thou shalt educate the organization at large
People are by far the weakest link when it comes to security, as we’ve seen time and time again. The reason is that most non-security employees just aren’t aware – or don’t understand the full scope – of how vital it is for each person to keep information secure.
With the growing popularity of techniques like social engineering, it’s more important than ever for all an organization’s employees to be well educated on security risks, especially how to spot and avoid attacks. Holding mandatory security awareness training as well as sharing information about the latest attacks aimed at employees will go a long way in getting them to develop a more secure mindset.
By educating the board and key stakeholders, you’re also helping align security with business objectives, which goes a long way to getting their full support for your proactive application security activities.
5. Thou shalt think like a hacker
When you’re only thinking like a defender, you’re bound to miss half the picture. It takes a different take on the code you work to secure in order to see what holes you’re really missing. Thinking like a hacker (depending on who you talk to) means taking a look at your organization (and its software, of course) the way someone trying to break into your organization would.
The key to “thinking like a hacker” is to focus much less on eliminating specific vulnerabilities and focus more on threat modeling and having fresh eyes look over your code.
When, according to the Verizon Data Breach Investigation Report (DBIR), “nine out of ten of all breaches can be described by nine basic patterns,” it’s clear that although the number of possible threats may be infinite, the most vital to secure are not.
Determining which threats your organization is most susceptible to (with help from your well-defined metrics) and working to reduce those attack surfaces will help change the way your organization addresses application security, allowing security to stay a step ahead of the actual hackers.
The risk of not thinking like a hacker?
6. Thou shalt think like a CEO
Yes, thinking like a hacker will help uncover all the holes you couldn’t have seen through a defender’s eyes. But only thinking like a CEO will get you the support you need from the board. To quote Wim Remes, “only someone with the hacker mindset, and the necessary business acumen, will be able to combine both and be successful.”
Fully immerse yourself in the business side of things. Understand what the company’s overarching goals and needs are. And then implement those goals into your own goals for your application security program. By combining security with business, you’ll not only be successful, but proactive.
“As information security professionals, it is our obligation to learn the language of business. We must become experts in understanding our business’s strategy…and mission. Once we understand those factors, we can then build a security plan around those stated goals.”
7. Thou shalt make your application security automated where possible
While we’ll always need pentesters and code reviewers for the tasks that require real human intelligence and decision making, automating security tasks is the only way to allow your security program to grow and change. As your organization evolves, so too will the applications it uses and integrates. Automation offers the benefits of reducing redundancies, faster testing and better coverage.
With the right tools in place automating repetitive and strenuous security tasks such as code review, you’ll be better prepared for organizational growth – while saving the company money and showing your AppSec program’s ROI.
Related: Automated vs. Manual Testing
8. Thou shalt be on top of your open source components
We’re using so many open source components in our applications these days (up to 80% in Java applications) that it’s crazy to know we’re not thinking twice about their security – especially after the past few open source blunders. More eyes do not make all bugs shaltow.
Stay on top of the external code and frameworks you’re using in your own applications. If you don’t already have an inventory of the open source components you’re using – spend the time now to create one. Don’t rely on the open source community to fix every issue. If the source code is available – test it yourself. If it’s third-party code, make sure their security standards are aligned with yours. Finally, put policies in place that set a standard for which types of open-source components may be used.
Read more about staying proactive with your open source components at OWASP.
9. Thou shalt measure your activities and collect meaningful metrics to learn from
A part of being proactive means setting goals for your activities and determining if the end results meet your expectations.
Metrics are paramount in showing your programs value – and discovering which areas need fixing. Without designing relevant metrics to measure your application security practices, it’s going to be difficult to improve and to stay ahead.
10. Thou shalt spread the love with thy fellow AppSec pros
Application security cannot survive in a vacuum, both within an organization and among AppSec professionals. With the growing number of attacks aimed at applications, only through exchange of information among the AppSec community can we keep ahead of the hackers.
It’s important for each security professional to share what they know and collaborate with peers on determining what practices and tools have worked best for them. Exchanging this information allows organizations – including yours – adapt to evolving threats in the most effective, and proactive, ways.
Check out Microsoft’s Framework for Cybersecurity Information Sharing for ideas on how to start collaborating.