Friday 5 May 2017

Application Security Function

Application Security is the software development concern of proactively ensuring that the applications being built, and integrated with, are secure.  This will require that application security becomes a standard focus for all software development teams, along with delivery, architecture, and quality assurance.

I suggest that this needs to be achieved through:

Education

Everybody (including the business and delivery) needs to understand the importance of security.  At IG we had a very positive recent experience with a consultant who came into our offices, spent some time with our development teams, educating and instilling enthusiasm for the subject, and then closing with a company-wide demonstration of our application vulnerabilities at the time.  The presence of C-level executives at these demonstrations lead ultimately to the creation of an application security function (in addition to our already quite mature InfoSec function).

Standardisation

Adopt industry guidelines such as OWASP to ensure a consistent, best-practise approach to security.

Organisation

Security, like quality, does not happen by accident, and requires organized effort to achieve. Create a team of security champions, whether physical or virtual, to:
  • collaborate on application security decisions
  • raise awareness of application security best practice in development teams
  • help teams understand application security threats via threat modeling
  • help teams secure their applications via security test suites
  • provide a developer communication and feedback loop on security matters
  • collaborate closely with InfoSec, PMO and Operations to ensure appropriate goal alignment - resourcing security work will be a key challenge

Process

Integrate security with your software development lifecycle, specifically:
  • create an effective security monitoring, incident, tracking and resolution process
  • prioritise issues using the OWASP risk rating framework
  • require teams to maintain security threat models for their applications
  • create security cheat sheets and code review checklists
  • create automatic security test suites

Testing

Testing is the only way to confidently assert that an application meets its requirements, and this is no different for application security. All applications should be required to have automated security test suites with adequate coverage. In addition, periodic, independent 3rd party penetration tests and architecture reviews should be performed.

The Challenge

Doing security is like taking out an insurance policy.  You don't have to do it, and might get away with it, but can you afford the consequences if you don't?

What do you have to lose?

Probably a lot.

Share: