Imagine that you are tasked with planning a vacation for you and your family. For your ideal trip, you would jet off to a five-star resort on a private island for a month of pampering and fine dining. But, since you have two children, a limited budget, and only one week of paid time off, you settle for a three-star, theme park resort with a spa and outdoor pool. Your family has a great time on the vacation and, using your new-found trip planning skills, you start preparing and saving for your dream getaway.
Spearheading an application security (AppSec) program can sometimes feel a little like that type of vacation planning – you can see an ideal state, but it can feel unattainable. Just like planning a vacation, creating an AppSec program is also dependent on time and money, as well as an organization’s staff expertise, culture, and executive support.
Below, we look at both the best practices, and some practical first steps you can take that will prepare your AppSec program for improvements in the future. In other words, keep your eye on the private island AppSec, while moving forward with the theme park AppSec.
Best Practice #1: Use More Than One Application Security Testing Type
When you visit the doctor with an ailment, you undergo several tests to determine the diagnosis. There is no magic test that detects all illnesses. The same goes for AppSec tests – there is no one test that detects every vulnerability. So, to make sure that your application is fully secure, the best practice is to use as many testing types as possible.
Practical Advice: Start with What Makes the Most Sense, Then Add More Later
Develop an AppSec strategy to determine where you need AppSec solutions the most. Start by implementing the tests that will have the most impact, in the shortest amount of time, for the least amount of money. From there, you can start adding on more tests.
There are several factors that will help determine which tests will have the most impact. For example, if you have multiple applications, rank the applications based on the criticality of their risks, and test the applications with the most critical risks first. Another thing to consider is programming languages. If you leverage less-mainstream programming languages, there are limitations regarding the AppSec tests you can use. So start with tests that are not specific to language, like dynamic or penetration testing.
Best Practice #2: Shift Security Left
In today’s fast-paced world, enterprises are moving from yearly product releases to monthly, weekly, or daily releases. To keep up with this change, security testing needs to be woven into the development cycle instead of after the development cycle. That way, when it is time to release the product, security testing will not stand in the way.
Practical Advice: Shift Security Culture Left
Moving security testing into the development cycle means that developers will play a bigger security role. Since most development and security teams have never worked together, “shifting security left” can be a significant cultural change.
Before making this change, a good first step is to help security understand how development works and to build a relationship. Understanding how development works involves learning their tools and process, as well as how they build software, so that security testing can be integrated organically. When security is organically weaved into the development process, developers are more likely to be receptive of security, making it easier to forge trusting relationships.
You should also look for ways to automate security testing into the CI/CD pipeline. By integrating automated security tools into the CI/CD pipeline, you can incorporate testing without handing off code to another team, making it easier for developers to fix issues immediately.
Best Practice #3: Fix Everything Fast
Finding vulnerabilities is only half of the battle. You need to have a solid plan in place to fix them once they are discovered. Automating security testing in CI/CD pipelines allows organizations to not only find flaws faster, but it also speeds up the remediation process.
Practical Advice: Prioritize Fixes While Creating Fewer Vulnerabilities
As much as we would love to fix all flaws instantaneously, it is not possible. A practical first step in remediation is prioritizing. When prioritizing your flaws, do not just concentrate on defect severity, also consider the criticality of the application and how easy it would be to exploit the flaw.
Best Practice #4: Embed Security Champions into Development Teams
Most developers do not have a security background. This makes it very challenging when you try to implement security tests in the development lifecycle. A way to help fill this knowledge gap is to select interested volunteers from the development teams to become security champions. Security champions learn about security testing and can reiterate important security messages back to their teams.
Practical Advice: Build Up Your Security Champions Capabilities
Building a team of security champions takes time. Start by making sure your organization’s security, development, and leadership teams are all on board with the security champions concept. Once everyone agrees with the idea, help the security and development teams build a relationship. If developers and security personnel are on good terms, you have a much better chance of developers agreeing to become security champions.
Next, identify your champions. Security champions should be selected based on a demonstrated or perceived interest in learning more about security. If you select developers who do not have an interest in security, there is a high probably that they will not be successful in the role. Lastly, nurture your identified champions by giving them the appropriate tools and support, like additional training in security concepts and code reviews, needed for success.
Best Practice #5: Measure Your AppSec Results
It’s critical to be able to measure and report on the success of an AppSec program in metrics. Identify which metrics are most important to your organization’s key decision-makers, then display the metrics in an easy-to-understand, actionable manner.
Practical Advice: Focus on Your Policy Metric
Bringing too many metrics to your executives early on can be overwhelming and, quite frankly, unnecessary. Start by presenting one metric: how your AppSec program is complying with your internal AppSec policy. From here, you can start sharing other valuable metrics.
Remember, just like saving for your dream getaway, creating the perfect AppSec program takes time. But taking practical steps and looking toward the big picture will help you get closer to perfect sooner.
Learn more about the steps you can take to achieve AppSec maturity in our recent guide, Application Security Best Practices vs. Practicalities: What to Strive for and Where to Start.