The biggest challenge for organizations trying to deliver secure applications is integrating application security within the entire software development lifecycle (SDLC). The SANS "2015 State of Application Security" report released in May shows this gap between builders and defenders is closing, however.
By implementing the following five SDLC best practices as presented in the report, organizations can help ensure that application security is present in all facets of the software development lifecycle.
Your goal is to understand the roles of your various applications, the data maintained by the applications, how the applications interact and what external libraries and dependencies they rely on. Developing this inventory with the application owners and architects will provide a better view of the risks of each application while also creating a communication line between the application security team and the application owners.
This covers a few activities, all of which are important. The first is defining coding standards and quality controls. These quality controls will help provide useful feedback to both teams. The second activity is developing internal code libraries. These code libraries can be reused and will have been processed through the code quality and security tests.
Finally, require that documentation be maintained and updated. While this can be difficult under Agile methodology due to fear that velocity will be negatively affected, it's necessary to keep all relevant documentation (architecture, API documents, coding standards, etc.) up to date.
While security gates are important, these gates should be there to provide guidance. A great way to enable this is to provide a security architecture blueprint with preapproved methodologies and architectures for handling data and interacting with subsystems (such as for authentication and authorization).
Collaborating with the application development team on this documentation and keeping it up to date allows the software development team to know what to expect when it's time to seek approval for a new method or mechanism.
Software engineers, developers, user experience professionals and others involved in the production of software have a work process that makes them efficient. Injecting processes or tasks that hinder that will create resistance, and changes to the workflow must have valid reasons that developers can understand.
For instance, requesting that developers run a full static analysis scan on a large code base isn't productive, whereas telling the developer that they will get a report back from an incremental scan and that they must address any findings will likely be received more positively. Note that it will still be necessary to provide guidance and recommendations for how to address those findings.
The number of application security professionals is low, and the number of applications being developed is high. Even with automated static, dynamic and interactive application security tools, application security program implementations do not scale. Developers want to do the right thing, and they crave to learn. Identifying a set of developers interested in security and providing both general security training and specific training on any tools and methodologies they use will serve your developers well.
Schedule meetings with the guild members to improve parts of the program that are causing challenges. The benefits are twofold. First, there is the scaling of the application security program through increased involvement. Second, it enables both teams to understand the struggles and challenges of the other side.
A theme throughout these five SDLC best practices is a communicative partnership with the development organization. The more aligned the application security team can be with the development organization, the greater the success. A successful implementation of an application security program will include identifying applications that are currently supported, developing code quality standards, collaborating to find secure solutions, creating a streamlined workflow for the development team and getting developers involved in the application security process.
For more on how your teams can work together to bridge the application security gap, download the full SANS report here.
Photo Source: Flickr