Getting Started on Your Application Security Program

As attack surfaces expand and threat actors become increasingly sophisticated, chances are, your application security program has room for improvement.  

For an organization to have a successful application security program, a centralized governing application security team is essential. In this guide, we’ll highlight key information you need to know as you get started on your application security program or look to improve your existing program.  

Common Myths Around Application Security Programs  

As you start identifying ways to improve your AppSec program, an important first step is understanding and dispelling myths related to application security.  

Common application security myths include:

1. An application security team is optional: Based on what we’ve experienced and learned about successful application security programs, all of them have a dedicated team focused on managing Application Security efforts based on the organization’s business needs.
   
2. My organization is too small to have an application security team: Every organization, no matter the size, is at risk for vulnerabilities and security threats. Because of this, application security can’t be an afterthought. Even organizations with small teams or limited resources need dedicated teams or, at the very least, the support and expertise of an external AppSec provider to help prevent and remediate security vulnerabilities.
    
3. We can’t have an application security team because our organization is a DevOps/agile/specialty shop: Just because your business or your development processes are different from others, doesn’t mean that you don’t have a need for Application Security, nor does it mean that you can’t adopt certain application security practices. Many opportunities in any type of software development life cycle (SDLC) exist to inject application security touchpoints to ensure that business objectives or development efforts are not hindered by security, but rather are enhanced by security practices. 
   
4. An application security team will hinder our ability to deliver or conduct business: In our team’s experience at NetSPI, we have seen that more secure applications are typically better in all perspectives including performance, quality, scalability, and more. Application security activities, if adopted correctly, won’t hinder your organization or team’s ability to conduct business but will in fact provide a competitive advantage. 

Why Do You Need an Application Security Program?  

Three of the most critical reasons every organization needs an application security program include:

1. Defect Discovery
   Organizations typically start their application security journey in defect discovery efforts. The two most common discovery techniques used are penetration testing and secure code review to discover security vulnerabilities and remediate them appropriately. 
   
2. Defect Prevention
   An application security program’s goal is not only to help proactively identify and remediate security issues, but also to avoid security issues from being introduced in the first place. 
   
3. Understanding Risk
   To identify an organization’s risk posture, identifying what defects exist and determining the likelihood of defects being exploited – and the resulting business impact from successful exploitation – is necessary. Organizations need to understand how the defects identified work and determine what components of the organization and business are affected by the identified defects. 

Getting Started with Defect Discovery  

Many different techniques of defect discovery are available, each of which has its own set of strengths, weaknesses, and limitations in what they can identify. Certain techniques are also prone to higher levels of false positives than others.  

Other factors also come into play, such as the speed at which these techniques can be implemented and how quickly results can be made available to the appropriate stakeholders, which need to be considered when implementing a particular defect discovery technique in an organization. Ultimately, all techniques have some areas of overlap in terms of the types of defects they can identify, and all techniques complement each other.

There are two primary types of defect discovery techniques:

• Secure code review: Often mistaken for code review that development teams typically do in a peer review process, secure code review is an activity where source code is reviewed in an effort to identify security defects that may be exploitable. There are plenty of checklists on common patterns to look for or certain coding practices to avoid (including hard-coded passwords, usage of dangerous APIs, buffer overflow, and more). Various development frameworks that publish secure coding guidelines are also readily available. Some organizations with more mature secure code review practices have implemented secure by design frameworks or adopted hardened libraries to ensure that their developers can avoid common security defects by enforcing the usage of the organization’s pre-approved frameworks and libraries in their development efforts.
  
• Penetration testing: The most common defect discovery technique used by organizations, penetration testing is an effective way to get started if your team hasn’t previously focused on application security in the past. Pentesting enables an organization to get a baseline of the types of vulnerabilities that their applications are most likely to contain. When performing penetration testing, the type of testing varies significantly based on the attributes of the system being tested (such as web application, thick client, mobile application, embedded application, and more). 

Defect Discovery is Just the Beginning

Defect discovery is more than simply the two techniques discussed above. In the scheme of your application security program, the effort towards defect discovery is just a part of your overall application security program.

4 Questions to Ask When Starting an Application Security Program

• What does it mean for your organization to have a secure SDLC from a governance perspective? 
• How are you going to create awareness and outreach for your SDLC to ensure the appropriate stakeholders know what their roles and responsibilities are toward application security? 
• What key processes and technology do you need to put in place to ensure everyone is capable of performing the application security activity that they’re responsible for? 
• How are you going to manage software that’s developed (and/or managed) by a third party (augmenting vendor management to reduce risk)? 

Application Security Governance and Strategy  

Application security governance is a blueprint that is composed of standards and policies layered on processes that an organization can leverage in decision-making in their application security journey. 

Organizations have started adopting a Secure SDLC (S-SDLC) process as part of their software development efforts but this tends to vary greatly between organizations. Ultimately, the focus of the S-SDLC is to ensure that vulnerabilities are detected and remediated (or prevented) as early as possible.

Unfortunately, many organizations have not defined their application security governance model, so they lack a proper S-SDLC. Without the proper processes in place, it can be challenging, if not impossible, to have oversight of the application security risks posed to all the applications in an organization’s inventory. 

Ultimately, we’ve observed that regardless of where the governance function is implemented (software engineering, centralized application security team, or somewhere else), a dedicated focus on application security is required to get started on the journey to reducing the risk faced from an application security perspective. 

The Trifecta of People, Processes, and Technology 

The combination of an expert application security team (people), secure SDLC/governance (processes), and application security tools (technology) can help organizations ensure their application security program is as effective as possible.    

1. People: Application Security Team 

Organizations need to assign responsibility for application security. To do so, it’s important to focus on establishing an application security team which is a dedicated group of people who are focused on making constant improvements to an organization’s overall application security posture and as a result, protect against any potential attacks. Organizations that have a dedicated application security team are known to have a better application security posture overall. 

2. Process: Secure SDLC/Governance 

A clear definition of standards, policies, and business processes are key to a successful application security strategy. The S-SDLC ensures that applications aren’t created with vulnerabilities or risk areas that interfere with the organization’s business objectives. 

3. Technology: Application Security Tools 

Many open-source and commercial technologies are available today, each of which leverages different defect discovery techniques to identify vulnerabilities in applications. DAST, SAST, IAST, SCA, and RASP are some of the more common technology options available today. Based on the business goals, objectives, and software development culture, the appropriate tool (or combination of tools) needs to be implemented to automate and expedite the detection of vulnerabilities as accurately and early as possible in the SDLC. 

Taking a Strategic Approach to Application Security  

To continually evolve and improve, organizations need to have an objective way to measure their current state, and then work on defining a path forward. Leveraging the appropriate application security framework to benchmark the current state of the AppSec program enables organizations to use real data and drive their application security efforts more strategically toward realistic application security goals. 

Standard frameworks also allow for re-measurements over time to objectively measure the progress of the application security program and determine the effectiveness of the time, effort, and budget invested in it. 

As application security capabilities mature, so does the amount and quality of data that is at the organization’s disposal. It’s important to ensure that the data collection is automated and proper application security metrics are captured to determine the effectiveness of different application security efforts, and also measure progress while intelligently answering the appropriate questions from executive leadership and board members. 

NetSPI’s Cybersecurity Maturity Assessment 

NetSPI’s Cybersecurity Maturity Assessment helps organizations find clarity in their AppSec journey. 

Regardless of where you are in your application security goals and aspirations, NetSPI provides:

• Application Security Benchmarking – Measure the current state of your application security program and understand how your organization compares to other similar organizations within the same business vertical. 
• Application Security Roadmap – Define your application security goals and build a realistic roadmap with measurable milestones. 
• Application Security Metrics – Based on your organization’s application security program, understand what data is available for collection and automation, allowing for definition of metrics that allow an application security team to answer the appropriate questions to help drive application security efforts forward. 

Access the full whitepaper, Getting Started on Your Application Security Program, to learn more and share application best practices with your team. Schedule a demo today for additional details on how NetSPI can help improve your application security program.