In today’s high-tech industry, security is struggling to keep up with rapidly changing production systems and agile development introduces workflow chaos. The Application Security (AppSec) team is struggling hard to gain visibility and control its environment. Instead of spending time on key activities, the team feels overwhelmed with visibility and tools to control the process. As a result, many digital services are still improperly protected. In order to catch up with the trend, AppSec must adopt an agility model compatible with software development.
Reasons for Agile
Agile processes continuously integrate small changes and gather meaningful feedback in the process, allowing the software to continue to evolve. Just step by step, you can pay less for your mistakes and learn a lot in the process. This approach is supported by continuous integration/continuous development (CI/CD), source code management (SCM) and amazing collaboration tools to make the software industry fast and powerful.
The AppSec team is responsible for ensuring software security. However, with the increase in industry productivity, AppSec has encountered a problem of insufficient resources and cannot cover basic knowledge such as penetration testing and threat modeling. The AppSec community has developed useful methods and tools-but the number of developers exceeds 100:1, and AppSec simply cannot cover everything.
Software security (like all software engineering) is a highly complex process based on time-consuming, detail-oriented tasks. In order to move forward, AppSec must develop its own method to organize, prioritize, Measures, And expand its scope of activities.
What will agile AppSec look like?
Recognizing the limitations of long-term methods of software development, agile methods and tools came into being. However, AppSec’s differences mean that it cannot simply replicate software development. For example, introducing automated testing into CI/CD may overlook important things. First, every asset delivered outside of CI/CD will remain in an untested state and require other AppSec processes, which may lead to unmanaged risks and shadow assets. Secondly, when developers question the quality of the report, it creates friction between engineers and safety, thereby jeopardizing healthy cooperation. This applies to all aspects of AppSec, not just testing.
We need to study more deeply, study the principles of agility, and define a way to overcome limitations and help resolve chaos.
1. Stakeholders, deliverables and sustainability
AppSec teams need all levels of engineering attention, which often creates bottlenecks, even for focused teams. This motivates organizations to delegate security tasks to developers. Since AppSec is a resource-intensive discipline, delegating tasks is the key to success. However, many organizations are struggling with the complexity of ownership in AppSec. For example, automated security tools are only guests in CI/CD and have different acceptance levels among developers, so things may fall between the cracks.
In addition, AppSec’s role includes strategically guiding the organization. As advocated by maturity-focused programs such as BSIMM and SAMM, collecting the right data and disseminating it to the right stakeholders can improve security from the bottom to the top and from the top to the bottom.
In order to become agile, AppSec must have measurement and governance capabilities when providing services to encourage developers to pull security to the left. AppSec agility requires breaking any dependencies related to posture measurement and governance, and establishing sustainable independent operations to set their own strategies and tactics.
2. Find the need
The potential interruption caused by the release of new software in the enterprise encourages the product team to avoid making assumptions and understand the effective methods for users; there is a journey of constant discovery of requirements. Although the security requirements are clearly stated on the paper, with the rapid development of software, most teams are eager to manage the process.
With the continuous development of regulations and industry standards, AppSec must have the ability to be fast and agile to define the organization’s security priorities.
3. People, processes and tools
Agile development requires the cooperation of individuals with motivation and ability. Tools that help develop to catch up with AppSec (such as Git for processing code at the same time, Jira for tracking complex plans, and Jenkins for optimizing and standardizing builds, testing, and deployment) are critical to agility. They allow users to reduce investment in peripheral tasks and move faster while benefiting from the insightful data they have.
Having a professional security architect, sharp pen tester and well-equipped bug hunter is irreplaceable, but there is great hope in automated security testing and runtime protection. A system that helps AppSec’s agility can reduce tedious tasks and use data from one activity to improve the efficiency of another activity.
A better, scalable AppSec requires better intel collection, metrics and orchestration. The team must be able to use prescriptive indicators to guide priority assignments so that they can allocate their talents well. The AppSec team should be able to immediately know which assets they are protecting and which are the most important. By enabling organizations to use more security services and provide leadership with feasible metrics, the team will be able to adopt systematic processes, such as proven learning, and mature the organization.
From agile to mature
Now is the time for AppSec to run in the realm it protects. This is the only way for the AppSec team to effectively complete the work, while at the same time providing rapid production results to the satisfaction of the board of directors. The AppSec team should have a clearer workflow, a higher degree of automation and true visibility. Software engineers have learned to master the machine and make it our friend. Now it’s time for application security to do the same. Frankly speaking, it can no longer afford it.
Chen Gour-Arie is the chief architect and co-founder of Enso Security. With more than 15 years of practical experience in network security and software development, Chen has proven the software security of dozens of global enterprise organizations across multiple industries.