You are here

You are here

5 ways to scale your app sec program

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Robert Lemos Freelance writer
 

With 300 banks, including 90 of the top 100 institutions, using its software, the financial services firm Finastra has made securing its applications a top priority.

The current security status of the company's suite of applications is delivered to decision makers via a dashboard, while development teams have security issues flagged as bugs in the software ticketing system. Meanwhile, the engineering team has created a self-service model of security testing that incorporates its tools into the business operations. 

Nir Valtman, head of product and data security for Finastra, said getting the functional pieces into the right place in the organization is key.

"App sec has to be integrated into the right place, and you need to get support from both directions—from the bottom and the top."
Nir Valtman

Starting a security program is hard enough. Going from pilot programs and basic secure development lifecycles to a more comprehensive program can cause rifts between development and security teams, slow down productivity, and lead to growing security debt.

John Steven, chief technology officer for vulnerability-orchestration platform ZeroNorth, said it takes a "cultural transformation."

"If you have a team that is doing monolithic development for a decade, they are not going to evolve."
John Steven

Here are five ways to improve the maturity of your application security program, and expand your efforts throughout the company.

1. Do security testing earlier

Vulnerabilities cost more the longer they escape detection. Finding and closing software security bugs as early as possible in the development process is a key attribute of mature security programs, said Rick Smith, product manager for dynamic application security testing (DAST) solutions at Micro Focus Fortify group.

Application security teams should move as much security and code checking as possible into the organization's integrated development environment (IDE), as long as it does not impact productivity. However, integrating code-checking features, such as linters and static analysis security tools, can help keep developers in the practice of writing secure code and can teach secure coding concepts along the way.

However, only the simplest checks can be done during the code-editing process. Additional testing should be done at other points in the development cycle, said Smith.

"There are limits to what you can do in an IDE. If you want to do broad and deep analysis, you probably need to do it at build time."
Rick Smith

In the IDE, you can detect lighter-weight vulnerabilities.

2. Empower developers to scan for security

Netflix uses the mantras of "freedom and responsibility" and "context not control" to describe how it approaches security. The application security team should make security tools easy to use and able to run on demand, much as paved roads smooth travel for motorists and allow them to drive their car at will, wrote Astha Singhal, director of application security at Netflix, in a recent Medium post.

"Netflix engineering invests in the concept of an infrastructure and security paved road. This provides well-integrated, secure-by-default central platforms to engineers at Netflix so they can focus on delivering their core business value."
Astha Singhal 

Empowering developers to handle security issues—often referred to as "shifting left"—is extremely important. By giving more responsibility to developers, the software development process becomes more agile and aligned with continuous integration and delivery initiatives such as DevOps, said ZeroNorth's Steven.

"When decisions get made by the developers, they tend to figure out what tools they need, and then run those tools on the pipeline. So there is a lot less friction."
—Astha Singhal 

3. Communicate using the right channel

Different stakeholders in the company each require a different view into the state of application security. Finastra's management, for example, needs a high-level view with specific metrics to gauge progress in securing their applications. For developers, security problems should be expressed in their language—bugs that need to be fixed, said Micro Focus's Smith.

"By and large, developers want to treat security issues as a bug. We see a lot of companies creating dashboards that give higher-level visibility into the status of different solutions." 
—Rick Smith

Seeing it in Jira is fine, but that won't work for most managers, he said. 

Companies also need very clear key performance indicators (KPIs) that measure the known security status. Programs that succeed need to dive deep into security metrics, and also acknowledge those aspects of application security into which they have no visibility.

4. Self-service security is key

Netflix has put a lot of effort into giving developers the tools they need to secure their own applications, and a big part of that effort is the concept of self-service capabilities through automation.

Netflix's application-security automation group provides "consistent, actionable, self-service security guidance to developers," Singhal wrote.

"We aim to have a single view for developers for all actions needed to keep their applications healthy from a security standpoint."
—Astha Singhal 

5. Don't forget to foster a security culture

Finally, companies should focus on developing a robust security culture. Rather than mandate security for developers, seek out those developers who are vested in learning about secure coding, said Finastra's Valtman.

"You find the people who are excited about security, and use that excitement as a way to start a security champions program. You need to have the champions to scale up the program."
—Nir Valtman

Application security teams should remember that growing a security program is not about adding more people, but being more efficient with the ones you already have, said ZeroNorth's Steven.

"It is not about having 100 humans. It is having three humans that can talk to the site reliability engineers and have security people who upgrade their DevOps skills."
—John Steven

Keep learning