There’s no easy path to success for a modern AppSec program. You’ll absolutely fail if you don’t come prepared and have the right tools for the job. Not only are skilled practitioners in high demand and hard to retain, but the AppSec solutions out there often don’t keep pace with the development of the technology they’re meant to secure.
This article is the first in an ongoing series on how to survive and succeed in modern application security. Subscribe to see every edition as it comes out, and get insights into advanced AppSec program performance you can use in your organization.
So, what are these 5 tips for AppSec success?
If you had unlimited resources, you’d have ethical hackers and web security scanners testing 24/7. But chances are you don’t—so what can you do? You gotta get scrappy and use what’s lying around.
Don’t knock open-source and freemium tools out there until you’ve tried them. They can really fill in the gaps in your team’s abilities, from pen testing to software composition analysis (SCA), to a security “spell check” that catches mistakes as code is being written. And if you’re lacking both tools and talent, it might be better to just bring in a ringer through a managed AppSec service. These are a great way to get out of the ongoing expense of tools since they have them in-house, and they make time-consuming recruitment and retention tasks straight up not your problem.
Manual testing by skilled humans is a vital component of any AppSec program, but boy does it not scale. Technology problems should be solved by technology first. And the only way to scale is through powerful automation that is tailored to the software development processes, tools, and systems you have.
The automation must be focused on the types of threats they’re likely to face. This is especially important when you’re handling tasks like storing private information (PII), conducting commerce, protecting trade secrets, or managing anything else that’s even a little bit essential in your application suite. That way, you can keep your human security practitioners focused on only the things which absolutely can’t be automated.
If you’re a first time AppSec tool buyer building a toolchain from scratch, you’ve got a big job ahead to figure out what tools to use. Digital transformation drives these kinds of situations—for example if your organization switches to new dynamic web technologies for its integrated systems, that’s a whole new dimension of threats. These have been confounding dynamic application security testing (DAST) scanners for over a decade. We recommend Rapid7 and Invicti Security for their proven ability to adapt.
An even more common scenario is that you’re retooling, trying to replicate the automated AppSec functions and workflows you’re accustomed to, while replacing the many that didn’t work. Retooling is incredibly expensive, in addition to the damage that failed tools allowed. It’s important to go in with as informed a retooling decision as possible.
Make sure to have an expert on your team when making a purchasing decision—as we’ve investigated before, security technology is extremely hard to build regardless of the marketing spin they sell.
Tool vendors have to keep pace with new and advanced Dev frameworks, web technologies, and authentication systems, which almost all tool makers have to struggle with time and time again.
Some of their biggest shortcomings are:
Application security assurance requires you to protect the software and systems your business needs to function. Plus, you may need to maintain compliance with certain cyber security guidelines or standards. We’re still assuming you don’t have unlimited resources (sorry!) so you need to weigh how critical each protected asset is as you decide how it needs to be secured, and what types of testing and tools are actually available for it. Here’s how to decide on the tools:
Even an automated process needs to be set up, integrated with your systems, and interpreted by skilled operators. Set it and forget it doesn’t work for critical assets. Make sure whatever tool you pick is operable and able to be customized towards your most important targets. Also, an AppSec automation tool can’t magically make you understand its findings. A human being is required to interpret and analyze its output, resolve authentication snags, eliminate false positives, and discuss findings with QA and developers.
There is no such thing as a tools-only approach to AppSec. Automated tools miss things (false negatives), and no tool can test vulnerabilities hidden in areas like an application’s business logic and process flow. An expert is required to manually test in these areas, and double check findings in mission-critical areas that are scanned—so don’t go for tools that claim they eliminate manual testing entirely.
There’s a basic logic to the idea of cutting out the middleman, and going straight to the source. Surely it’s the cheapest and most efficient way to get your hands on the products and tools you need? There are industries where that’s true, but the more technical the product, and the more expertise is required, this becomes less certain. Compare this with a value-added reseller (VAR) for AppSec solutions, who yes, is in the middle of a transaction, but adds a lot of expertise and sometimes services that can make the journey easier. Think of the problems we’ve outlined so far, and how a vendor and a VAR might behave differently:
If you did some independent research and went to your chosen vendor to learn more, would they tell you about the shortcomings of their product for your environment? Would they recommend competitors that fit better? Or look at your budget and determine that actually, a free tool or no tool at all actually makes more sense?
A VAR would look at your situation holistically, and rather than sell the specific solution they make, they’d look through the entire AppSec automation ecosystem for the right mix of vendors and tools that actually work in your context while guiding you away from ones that are largely just marketing hype.
A vendor might be able to provide onboarding, migration, and training to get you up to speed. But they generally can’t replace the need for people, except in limited cases with managed AppSec (again, only recommending their own).
An AppSec solution VAR may well have solutions that replace the need for staffing since their goal is to provide value above-and-beyond what a toolmaker can do. Consultative services, training services across tools and vendors, and even outsourced manual testing or AppSec management are possible. All while being very well versed in the tools that they recommend, and still providing access to all available services from the vendors you and they choose together.
The V and A are the most important parts of the equation when finding a VAR. If they’re just focused on pushing products, i.e. a reseller who isn’t adding value and just collecting their percentage, that’s a different story. Like the two cases above, make sure that you’re getting something special and extra for taking the trouble to work with someone other than the manufacturer. Something to look out for is a VAR that represents far too many different AppSec tools. This means they have no specialization, and are unlikely to be familiar enough with any of them to make a meaningful recommendation.