Undeniably, the best way to get secure software is to develop secure software. And the emerging DevSecOps trend – the integration of development, security and operations – facilitates this process. The ideal application security program today would involve a DevOps process with security integrated automatically from development to production. However, most companies aren’t there yet. In fact, in many cases, this ideal state is off-putting, because it seems like it involves starting over or abandoning all existing processes. The reality is that the path to application security success is incremental – most of our customers reach AppSec maturity by making a business case, starting small and growing the program over time. Each program is unique, but here is a rough outline of the steps most organizations take.
The first step is to define the scope of an AppSec program. Fundamentally, this explains why you are spending time and money by defining the products you need to secure. A good place to begin is with all Internet-facing and mobile applications, as these represent the highest likelihood of exploit. As programs mature, other factors can be introduced to expand the scope of assessment and reduce the risk of breach via the application layer.
Second, data gathering is essential to running an efficient AppSec program. Details such as the application name, owner and development language streamline entry to the “Assess” step. Many organizations hold an application inventory; however, Veracode has found that in the majority of cases, the existing inventory does not contain sufficient information to initiate security assessments. Speed of delivery of an AppSec program is dependent on accurate data. Baking this step into the process upfront will improve performance down the line. Investment at this early step will show value by providing a better understanding of the applications in use by the organization, and prevent costly scoping errors during program operation.
With the applications identified, the program’s attention shifts to lay the groundwork for the security assessment itself. Choice of technology aside, this step focuses on the people and the process to onboard and enable developers and application owners to participate in the AppSec program. Internal mandates and communications programs are pivotal to winning internal stakeholder support. With the application teams briefed and empowered, the next step is to onboard/configure the application for assessment. Internal training materials will assist, and Veracode’s own Service’s team excels at getting your applications ready to scan. Finally within this step is the scan/assessment itself. This is where the AppSec program starts to secure the application layer by reporting on risk. However, the value here should not distract from the ultimate objective, the remediation of vulnerabilities.
As scan results exit the “Assess” step, you’ll need a formal process to execute on the risks detected. Don’t neglect the importance of the reviewing of scan results. With the review of results complete, flaws that must be remediated are identified. However, it may prove unfeasible or unnecessary to fix all detected flaws, so give thought to how mitigations will be tracked, accepted and documented.
In many ways the “Fix” step is the most complex part of an AppSec program. It is also the most important, for it is within this third step that the return on investment is fully realized.
Fortunately, Veracode excels in this step. The Veracode Platform provides a central hub to review findings from dynamic (DAST) and static security (SAST) assessments, including software composition analysis of third-party components.
Veracode’s Application Security Consultants are experts at taking your development teams through the scan results of specific applications, while the Security Program Management team helps your Security Leads prioritize flaws during the review step, for later remediation. Finally, the Veracode Platform contains a well-structured mitigation workflow, which allows Security Leads to review and authorize specific mitigations and, once approved, ensures that developers do not waste valuable time re-mitigating results of subsequent scans.
Ultimately, a programmatic approach to AppSec divides the workflow into three major steps, with several smaller steps contained within each. Introduction of automated systems such as a binary repository and APIs significantly reduce effort and will promote uptake of an AppSec program.
For more details on application security best practices, from someone who’s been there, check out our new guide, 5 Lessons From an Application Security Pro.
And Contact Us to learn how we can help you deliver a scaled application security program to reduce your risk of breach.
|Step||What to do?||How Veracode can help|
|Identify||Scope Definition||Decide which applications to assess||Expert guidance on risks in the application layer|
|Data Gathering||Collect the details required to begin assessment||Extensive experience in guiding enterprise customers to create a detailed application inventory|
|Execute: Assess||Onboard/Enable||Brief the application teams on the why and how of AppSec||Professional services team to explain AppSec|
|Upload/Configure||Get the app ready for assessment||Developer-friendly platform and easy integration with common tools|
|Scan/Assess||Conduct the assessment||Gartner Magic Quadrant-leading technology|
|Optimize: Fix||Review||Understand and prioritize results||Security consultants to guide developers and security leads|
|Remediate||Fix the flaws identified during review||Extensive eLearning and professional support|
|Mitigate||Understand which flaws are not exploitable||Tried and tested mitigation workflow|