Security is top-of-mind with everyone, as it should be. All of us know that security threats are escalating along with costs at unprecedented rates.
On the one hand, companies invest to tackle the threat; and on the other, they increase the level of security risk by implementing strategies for Digital Transformation. Building a digital business often results in creating greater surface attack areas, which increases risk of vulnerabilities. Although it feels like business initiatives for growth work at cross purposes to securing a company’s core assets, it doesn’t have to.
If you really think about it, building a strategic security mindset for application development requires 4 things: senior executive buy-in to get the whole organization on the same page; investment to train and build security skills within development teams, selecting the right testing and monitoring tools to add to your DevSecOps toolchain, and a fundamental alignment to bring security into product development and operations from the point of inception and carry it throughout the product lifecycle. In short, organizations must switch from reactive to proactive approaches.
The 5 Tenets for Building Secure Application Development
"Security is not the last step, it must be part of every step, and on every engineer’s mind as they write code."
Regardless of your development environment and practices, security must fundamentally factor into your thinking throughout development.
We elaborated on the subject in our latest whitepaper titled, Building an Application Development Security Mindset. It explains how security fits into development. At Encora, we consider 5 core tenets as critical success factors to building a security mindset around application development.
- Security Training & Skills
The right training and skill sets are critical to fulfill the technical gaps and manage the cultural changes needed to really bring security throughout a product lifecycle. Incorporating security training and skill development into the company’s culture requires investment to increase developers’ skills to create secure code and understand the perspectives of their security colleagues, which is fundamental to enabling engineering and security teams to collaborate.
I was encouraged to read in the SANS Institute’s 2016 State of Application Security that nearly half of all respondents indicated that training developers on application security was a top priority, and some even increased testing responsibility at the development team level in order to accelerate competencies within development organizations. - Secure Application Development
To ensure development is secure we suggest 2 concepts: use security-focused frameworks, and include feedback from the security team into the developers’ workflow and Sprint demo reviews. For frameworks, we believe the right objective is to review, select and adopt proven and appropriate security-focused frameworks based on best practices, software libraries and standards and governance policies that align to your specific industry.
We describe 3 well-known frameworks in a recent whitepaper. These frameworks are collections of rules, techniques and processes that guide development organizations and frequently provide resources that can be applied. Each has a different focus, but all are fundamentally oriented around security.- Microsoft Secure Development Lifecycle (SDL) This process fits well within existing DevOps environments, and provides a more generic structure that does a good job at incorporating security throughout the process. In our experience, it’s not specific to any application type or operating environment.
- Open Web Application Security Project (OWASP): This open community provides data about top vulnerabilities, the associated impact and risk; as well as guidance for best practices for developing and reviewing secure web apps.
- Industrial Internet Consortium (IIC): The IIC published an Industrial Internet Security Framework report derived from an active working group. It helps identify the requirements for open interoperability standards and defining common architectures to connect smart devices, machines, people, and processes.
Additionally, actively bring the security team into the development process to capture their feedback early, and; include their participation throughout workflows and Sprint demos. The idea is to concurrently work through security risks within the development phase in order to avoid costly delays down the road. We realize it’s more challenging to do this when in a product expansion or maintenance phase versus greenfield development. But, taking the first step and persevering is key, and eventually a development workflow based on security will become a proactive advantage in your total security strategy.
- Security + DevOps = DevSecOps
DevSecOps represents the growing shift that fully integrates security into a DevOps workflow creating a unified progression. Just as DevOps requires simultaneously addressing development and operational issues, security concerns must now be addressed as well. Security + DevOps or DevSecOps involves not only expanding each phase to include a security focus, but incorporating cross-functional training in order to mitigate risks as code is developed. At Encora, we are avid Agile and DevOps practitioners so adapting to DevSecOps helps us improve best practices in response to the rising threat landscape and share that knowledge with clients. - Security Testing Tools
Continuous testing is important and Application Security Testing (AST) Tools should become an integral part of every developers’ toolchain. There are a variety of good tools, including open source ones as well. When considering Application Security Testing Tools, keep in mind that it’s better to identify the tool set you want to use up front in order to optimize instrumentation in the code. Otherwise, the tools may not perform properly or fully scan the code. AST tools classify into a few basic categories around testing methodologies:
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Interactive Application Security Testing (IAST)
"Gartner’s 2017 Magic Quadrant report for AST Tools indicates that, “the majority of enterprises that develop applications employ some form of AST, but the various technologies differ in adoption and maturity. DAST and SAST are the most widely adopted, while IAST adoption is still growing.”
Back to the SANS 2016 survey and study — in terms of testing —the results were an interesting reflection of the value SDL (Secure Development Lifecycle), Agile and DevOps have brought to software development overall. Survey responses about testing schedules varied, but “60% indicated that they test applications continuously, with 27% using continuous assessment in their Agile development processes and 53% of respondents testing applications when they are initially launched into production.”
- Continuous Monitoring & Analytics
Continuous monitoring and analytics help protect live production software and provide continuous feedback that incorporates back into development. It is a common-sense practice to monitor and analyze production releases. It can provide valuable insights, realtime performance information and data, which helps to intercept potential vulnerabilities.
SUMMARY
As mentioned earlier, every business must become proactive to protect itself effectively against the changing threat landscape. Just managing to a reactive response is no longer sufficient.
We believe instilling security into the very fabric of product development is a key component of every security strategy. This is driving investment, security-aligned best practices and tools that help make application development more secure from the point of inception and throughout the product lifecycle. The 5 tenets mentioned here summarize our approach, which we elaborated upon in our whitepaper titled, Building an Application Development Security Mindset. Check it out.