I think we are all tired of Black Fridays that now appear to be ubiquitous throughout the year, but like it or not, it does hail the beginning of the annual festive season spending frenzy which, driven by COVID, is increasingly digital as opposed to physical.
Application security must be front and centre of all companies’ radars at all times, but it is mission-critical at this time of year.
Reducing a company's risk comes down to one key thing and that is increasing the security posture of its application portfolio. To accomplish this, it needs an appropriate application security (AppSec) programme.
Let's begin by explaining what an AppSec programme is and exploring its major components.
Having an AppSec programme is an absolute must, but firms cannot address the subject without first examining their AppSec policy, since this is what every well-designed AppSec programme is based upon. This policy covers the do's and don'ts of increasing the overall security posture.
In short, it addresses the 'what' of making applications more secure. The 'how' is addressed in the AppSec programme.
If companies are to mature their AppSec programmes, they will need to implement a centre of expertise and operating strategy.
For example, the policy may speak about the definition of critical vulnerabilities and stress that applications must be vulnerability-free before being deployed into production. The programme, on the other hand, speaks about how to find those critical vulnerabilities and the construct of a security gate between the quality assurance environment and the production environment.
An AppSec programme covers three perspectives: people, process and technology; it is also conveniently referred to as the three 'Ps': people, process and product.
Each of these perspectives focus on a different view of the programme:
- People: Who is doing what and why?
- Process: How and when will it be done?
- Technology: Where will it take place?
If starting from scratch, I suggest starting with the basics. Also, there are various frameworks that can help create or mature a programme; for example, NIST SP 800-53r5, ISO 27K and OWASP SAMM.
But even if using a framework, it helps to truly understand these basics in order to reduce the overall risk.
Maturing an AppSec programme
Achieving an optimal security posture for the business happens when technology, automation, infrastructure, architecture and security policies are aligned − flying in formation across the company.
Most businesses recognise the need for an AppSec programme, but many assume technology alone will resolve their cyber security challenges. This is a false assumption that fails to reflect the realities and complexities of application security. It also creates a false sense of cyber security safety.
If companies are to mature their AppSec programmes, they will need to implement a centre of expertise and operating strategy. This approach gives the company and customers the confidence to meet compliance, customer and business goals.
AppSec programmes are designed to be inclusive of employees, competitors, processes, vendors, regulations and practices. Repeatable processes, standards and remediation plans help organisations to move beyond the basics and embed AppSec into their organisation's DNA.
Optimising AppSec programmes
After integrating and automating AppSec practices, tools and reporting into software development processes, what else is there left to optimise?
The company may feel its AppSec programme is performing as expected and catching external and internal security weaknesses in software. Moreover, it may also feel that trying to implement further optimisation is disruptive to the business.
However, consider that data breaches caused by unprotected applications have affected nearly 75% of organisations, according to the 2018 study on global megatrends in cyber security conducted by the Ponemon Institute.
Many organisations rely on the guidance provided by the Open Web Application Security Project (OWASP) Top 10 to identify critical, high-risk vulnerabilities in their software code. This is a great way to get started, but if organisations want to avoid becoming the next security breach headline, it requires a more mature and optimised programme.
Consider the fact that over 60% of applications had one or more critical or high-severity security flaws not covered by the OWASP Top 10. Organisations that only test or mitigate security risks found within these Top 10 are still very vulnerable to attacks.
So, what are the characteristics of a mature, optimised AppSec programme?
According to the OWASP Software Assurance Maturity Model, there is no single recipe that works for all organisations. A software security framework must be flexible enough to allow companies to tailor their choices based on their risk tolerance and the way in which they build and use software.
In addition to technology, automation and individual capabilities, maturing and optimising an AppSec programme must include the following:
- Identification of the maturity level that the business is seeking: industry, compliance regulations, or acceptable business and customer risk levels.
- Creation of a roadmap that establishes achievable programme objectives, policies, deployment timelines, scope and measurements for success.
- Identifies quick wins and process successes.
Many businesses recognise the need for an AppSec programme, but they assume information technology alone will resolve most cyber security challenges − a very hazardous attitude, as already stated.
Statements such as “our scanners detect 10 weaknesses in our applications every week” are akin to the famous Apollo 13 message: “Houston, we have a problem.”
In my next article, I will unpack how to determine the right level of AppSec for your business.
Share