Building Secure Software Right from the Start: Four Steps for an Effective AppSec Strategy

By Joanne Godfrey, Security Evangelist, ZeroNorth

Companies are rushing to launch digital transformation initiatives and roll out new software products and services at a greater speed than ever before. But one false move, such as releasing vulnerability-riddled software that facilitates the loss of company or customer data, can destroy your business.

The easiest way, by far, to protect your business and your customers is to design and build software products that are secure from the start. With software now defining and driving all businesses, the need for an AppSec program has never been more critical. But ramping up an AppSec program is not a simple process. You need time, staff, expertise, not to mention budget, all of which are generally in short supply right now. You also need to figure out a strategy for the program, one that supports your own specific business needs, culture and resources. This strategy should encompass four core components: the ends, the means, the how and the why.

The Ends: Figuring out what to protect

Not all data and their respective applications are of equal value. Some are internal facing, some are external facing, some utilize customer data, some are informational, etc. So, the first thing to do when ramping up an AppSec program is to consider which are your most valuable assets. Is it your intellectual property? Sensitive customer data? Financial data? You’ll also need to understand how this data is used and by which applications, all within the context of your business. So, if your new web app is driving revenue and it’s offline, that’s bad for your business’ bottom line. But what’s far worse and much costlier is a breached application that allows malicious actors to gain access to the network and your private customer data.

It seems like “what’s worth protecting and what’s not” should be an obvious and easy question to answer, but such an assumption often leaves this important question unasked. If you ask different teams within your organization, you’ll probably get surprisingly varied answers. Through inclusive dialogue with business owners, risk, compliance, security and engineering, you’ll to need to determine the value and criticality of your assets—as well as the applications that use them. In turn, this assessment will drive the means and ways you protect them.

The Means: Lining up the right tools for your AppSec program

There are many technologies and techniques on the market today to protect your critical data and applications, as well as infrastructure. But building secure products from the outset is by far the easiest and most cost-effective way to proactively protect corporate and customer data, not to mention brand reputation. This requires running AppSec scans to discover vulnerabilities during the different stages of the software development lifecycle (SDLC), then analyzing, correlating, and prioritizing the data from these scans so developers can easily remediate vulnerabilities as quickly as possible.

So, the second component of an effective AppSec program is to line up the right tools to discover and manage vulnerabilities in your business-critical applications. Selecting the right scanning tools will depend on the languages and frameworks in your application portfolio, performance requirements, and budget, as well as how these tools are implemented throughout your specific SDLC. The tool selection and deployment process alone can take many months. It also requires some level of expertise in both security and development technologies and processes, together with a deep understanding of business priorities – time you may not have right now. Moreover, if the implementation is a heavily manual process, it’s unlikely the tools will be used consistently—which defeats the purpose.

One way to overcome some of these hurdles and trim down the timeframe needed to ramp up an AppSec program is to use open source security scanning tools. Many open source security scanning tools deliver powerful capabilities. They are free and readily available, making them a practical choice for companies seeking to implement an AppSec program quickly and with little perceived effort. But regardless of whether you’re using commercial and/or open-source AppSec tools to gain real value quickly, you’ll need to be able to centrally orchestrate and manage these disparate tools. You’ll also need to find a way to correlate and prioritize findings in order to make the data actionable and operational for security and development teams.

The Hows: Facilitating productive collaboration between security and development

This leads us to the third component. There needs to be—or you need to build—a committed relationship between the security team responsible for finding security vulnerabilities and the engineering team who actually remediates the issues found.

We often hear the engineering team isn’t super interested in having the security team run assessments during build pipelines. Or, they don’t want to be told about the litany of security issues discovered because of the deep backlog they already have. They don’t have the time to deal with this additional work. They have been hired to deliver software, not secure code.

This is where perceptions—and, indeed, job definitions around application security—need to change. It’s also where both teams must get on the same page regarding risk. There needs to be an understanding that application security vulnerabilities are a risk to the business in the same way as financial risk or market risk. Which applications should be scanned, when they should be scanned, what vulnerabilities gets fixed, when should they be fixed and how they get fixed must be aligned with what’s best for the business. Moreover, vulnerability data must be delivered to developers in an easily consumable and useable format—without unnecessary “noise”—so they can quickly and easily focus on fixing the source of the problem, all without disrupting their existing development processes. Ultimately, by working collaboratively with security, the engineering team can become more efficient and effective, producing higher quality code from the get-go.

The Whys: Communicating effectively with executives

As with every relationship, business or personal, communication is key. And it’s not just about communicating; it’s about how you communicate—the tone, the frequency, the language you use.

The fourth component of a successful AppSec program is about effective communication. Salient AppSec information must be communicated to business executives and application owners in terms they can relate to, such as potential loss of revenue; reputation and brand impact; criticality of a security vulnerability (high-medium-low); time and cost of remediation (together with the impact of time lost on other strategic initiatives); penalties as a result of a compliance violation and legal implications. Obviously, the timing of this communication is important too. The earlier you flag a security problem with a business-critical application, the quicker it can be addressed. This way, you can hopefully avoid any meaningful impact on your business.

Moreover, communication must be a two-way street. Actually, it must be a three-way street when it comes to security. There must be clear lines of communication from the security team to business decision-makers around application security risk. Executives must then assess the cost of that risk to the business and communicate the criticality and priority back to security and engineering teams. These human interactions are critical, and no amount of technology can replace them.

Over time, the business changes, the economic environment changes, people and their perspectives change, breaches happen. And any of those things can be a tipping point in changing perceptions around application security. But to stay competitive while growing business—all within a volatile threat landscape and unpredictable economy—one thing remains constant. Security teams, engineering teams, and business executives must work hand-in-hand to understand, assess, and mitigate risk. They must continuously measure the impact and results of the program—and then iterate and iterate. The success of your business depends on it.

About the Author

Joanne Godfrey serves as Security Evangelist at ZeroNorth. Previous to this, she was a Senior Product Marketing Manager at IBM Security. She has also held management-level positions at Egress Software Technologies, AlgoSec, and Bradford Networks (acquired by Fortinet). She holds a MA in Modern History from the University of London and a BA in International Relations, Political Science, and Business from The Hebrew University. Joanne  can be reached online at: https://www.zeronorth.io/