It’s not a secret that applications have been a top vector for data breaches over the last five years (DBIR 2015). As organizations wade deeper into the DevOps era, it’s clear that a mature Application security program is a key pillar for organizational success.
In this article I would like to present to you three ways to improve your application security program.
1. Establish a risk based approach
I think we all agree that it’s impossible to achieve total security in your entire application portfolio. That’s why CISOs need to bundle efforts and available resources by implementing a risk-based strategy to protect the applications and assets that really matter. Here are 7 steps to help you establish a risk based AppSec strategy:
- Know where you are: Leverage OpenSAMM framework to conduct a maturity assessment and identify critical gaps in your AppSec Program.
- Know what you have: Create a consolidated inventory of all your application portfolio and focus most business-critical applications.
- Know your acceptable risk level: Create custom policies that reflect the maximum risk level your organization is ready to accept.
- Use established tools: Use automated scanning solutions (static and dynamic) to quickly and efficiently identify critical vulnerabilities and determine policy compliance.
- Conduct remediation: Conduct remediation efforts.
- Train Dev teams: Leverage developer trainings to help developers understand and avoid critical vulnerabilities.
- Use the fantastic 4: Use metrics and benchmarks to measure your progress.
2. Manage the third party risk
Software applications are built with many third party and open source components such as frameworks, libraries and plug-ins. Developers avoid “reinventing the wheel” and tend to use external components as this allows a faster app creation. The problem is that many of those components contain critical vulnerabilities. These can lead to high-severity exploits such Dos attacks or remote code execution. Remember Heartbleed and Shellshock!
To help your developers go faster without compromising security, you need to use technologies that provide information about identified components in your applications, known vulnerabilities in those components, and applications affected by the known vulnerabilities.
3. Use the fantastic 4
Metrics and KPIs should be placed at the center of your AppSec program to understand what’s working and where you need to improve.
Identifying key metrics will help you monitor, analyze and improve your overall security practices and build a case for your senior executives for making further investments in your AppSec program. The goal is to make your AppSec meaningful to all stakeholders esp. Development, QA and senior executives.
The fantastic four describe four ways to look at your application portfolio and benchmark against your peers in the industry.
Metric 1 - Policy Compliance: A policy reflects the risk level your organization is ready to accept for an application. Veracode advises to create and enforce consistent application security policies across your application portfolio.
You can for instance define a policy compliance rule that says that all your web applications must be free of vulnerabilities in the OWASP Top 10 to pass the policy. You can then use the pass rate at the first assessment as a KPI to gain intelligence about the quality of your applications and also compare with your peers in the industry.
Metric 2 - Flaw Prevalence: This metric focuses how common critical flaw categories like SQL injection, Cross-Site Scripting (XSS) or Cryptographic issues are found within your applications.
It’s important to note that not every application is subject to the same vulnerabilities. Using this metric will help you take action and leverage technical trainings for example to help developers understand and avoid critical flaw categories going forward.
Metric 3 - Fix Rate: Measuring the fix rate will help your organization allocate resources in most effective way. You can use this metric to gain intelligence about the mitigation and remediation work done during the development process and also compare to your peers in other industry verticals.
Metric 4 - Business- and goal-specific metrics: Defining good metrics depends on the goals and objectives of your AppSec program. For instance, a metric may touch on developer trainings or the number of applications undergoing automated testing. Ultimately it’s up to you, and the needs of your business.