I've been covering the vagaries of AppSec for the better part of a decade now. And in spite of all the evidence that has surfaced over the years that points to the application layer as one of the riskiest in the IT infrastructure, I've observed that most IT programs haven't matured their AppSec programs accordingly. The level of investment and attention to detail in enterprise application security is, on average, not commensurate with the risk.
According to recent figures from SANS, about half of enterprises spend 10 percent or less of the overall IT budget on application security, and another 34 percent don't know what that percentage is — a good clue that the number is pretty small. Looking at those stats, it's no surprise why the news bleeds ink about data breaches just about every day now.
So Why the Lag?
For one, IT security is still dominated by its fundamental roots in network security. That's where many of the experts in IT risk management cut their teeth and the need there has been communicated up the executive chain for decades. AppSec risks have been around for a long time, but not that long.
Perhaps what's holding AppSec back the most are a lot of lingering misconceptions about the discipline — ones that naturally arise from security's initial network security bias. Veracode recently published a report on application security myths. Among the myths busted were some enduring ones that still persist as excuses for ignoring application security.
For example, there's the belief that AppSec is financially out of reach for organizations. This logic ignores the costs of lost revenue, incident response, downtime and brand damage that result from not making that investment.
Also, there's the misapprehension that only software vendors really need to worry about application security. This persists in spite of the fact that in this era of the Internet of Things (IoT) and an app-for-everything consumerism, every company is a software company.
And, of course, there's the mistaken trust that people place in firewalls, antivirus products and network security to solve their AppSec woes, in spite of the fact that these do little to protect them from software-related vulnerabilities.
No More Excuses
These are the classic hits of AppSec myths and excuses. But new ones are forming every day as IT starts to shift to a faster and more continuous development lifecycle. Veracode's report touched on this when it tackled the misconception that the security team can't assess applications when developers move away from waterfall development. Security practitioners have to adapt to Agile, not the other way around.
I'll go one step further and say that this applies not just to Agile, but also to its heir apparent, DevOps. The natural evolution from Agile practices in development to the DevOps practices that span the entire IT ecosystem scares a lot of security advocates (see here and here for some typical "the-sky-is-falling" lamentations). But it shouldn't.
So here I am to add a couple more AppSec myths to the junkyard; these are centered firmly on the new mode of continuous delivery that DevOps promotes.
- DevOps and AppSec are incompatible: The automated, collaborative and iterative nature of DevOps patterns actually poses a lot of opportunities for AppSec to finally level up in ways that its proponents have only dreamed about in the past. DevOps and AppSec can collaborate on the "operational process of integrating and delivering code," according to Adrian Lane of Securosis. In reality, security isn't separate from development; the two go hand-in-hand.
- AppSec is security's domain: Let's build on Lane's thought here for a moment. One of the biggest breakthroughs of DevOps is the breaking of that wall between developers and operations. But there are other barriers crumbling in the process as well — including those around QA and security functions in the development process. As the lines blur, security teams need to find a way to move to a consultative role and help developers build a lot of the automated checks and scanning directly into the development/deployment pipeline and further trust them to do more of the work inherent in AppSec.
- Devs don't care about security: So, that's scary, right? Putting devs in charge of their own tests and making them bigger stakeholders is anathema to a lot of security pros because they think much of the reason applications are so vulnerable is due to developers not caring about security. But that's a huge misperception. Developers care about what they're measured on, and in many cases, security hasn't even entered that equation in the past. As DevOps precipitates a wholesale re-engineering of IT practices at a lot of organizations, this is security's best chance ever to insert itself directly within success metrics and story requirements. It just depends on the understanding that the means of discovering and mitigating application security risks will need to change in the process.
Photo Source: Pexels