Our customers are interested in reducing application security risk. Over the years we’ve seen a variety of approaches to this problem and have helped many customers on their path toward more secure applications and reduced risk. It’s interesting that you can categorize most approaches into these three areas
- Find and Fix - Includes the use of scanning tools, application penetration testing and other discovery focused approaches to security.
- Protect in Place - Includes the use of application allowlisting, web application firewalls, intrusion detection systems and other post-deployment detection mechanisms.
- Secure at the Source - Involves process and policy steps, best practices and standards focused on integrating security into the software development lifecycle.
I can see value in each approach, and it’s interesting to note a progression in organizations as they invest in application security and gain maturity in the way they approach the problem. Many development organizations start with find and fix, almost by necessity since application security efforts often are the result of a high impact vulnerability discovery. Once a problem has been discovered and the nature of the risk is understood there is a scramble to expand the discovery process and try to fix everything that can be found. IT organizations on the other hand tend to favor protect in place since they are working in the production environment and want to do as much as they can without having to impact the actual software development process.
While each of these approaches plays an essential role in reducing application risk, you can get the greatest long term impact by securing applications at the source. In this approach you are targeting the development process itself, in an attempt to fix the systemic issues which are leading to vulnerabilities in the first place. Discovery and detection then become a backstop to catch anything that slips through the cracks of a properly designed and implemented system.
A secure software development lifecycle is the most effective long term approach to application risk reduction that we’ve found. Unfortunately there is no one size fits all solution to secure development. Instead I’ve become a fan of a framework we call the three pillars of success. The use of this framework allows you to build a cycle of continuous improvement that will create an ecosystem of repeatable, secure software development: Standards, Education, and Assessment.
- Standards - Bridge the gap between information security policies and development team best practices. These take the form of security principles, coding best practices, architecture standards, and testing procedures
- Education - Gives the team the necessary foundation to successfully implement the standards and adhere to policy requirements. This takes the form of instructor led training, computer based training, brown bags and other forms of team self improvement.
- Assessment - Provides a feedback mechanism that can be used to update standards and improve the education program. This takes the form of static analysis, dynamic analysis, penetration testing, code reviews and audits.
Standards
Standards are the backbone of secure software development and help align development activities with policies, compliance mandates, and customer requirements. Rolling out standards is the first really hard challenge to building a secure SDLC, but probably the most important. They set expectations for the team (in-house or outsourced) and drive the need for continued education and assessment. An effective application security program includes:
- Secure coding standards and guidelines for your team(s)
- Augmenting current SDLC practices with security activities
- Tools usage at different phases of application security management
One aspect that is often overlooked here is translating IT GRC and Information Security policies into specific development activities for the development team. Policies are the WHAT, but development teams need to know the HOW and the WHY. Be sure to do this mapping, otherwise it can be a real challenge to tell your team what to do. How do you align development activities with security policies and industry best practice? This is the set of prescriptive guidance we built into TeamMentor. It gives you a great start with a comprehensive set of secure coding guidance/samples that can be customized specifically to your team and security requirements. You can improve the content over time as you use it and mature from a security perspective. Other organizations have used wikis or Sharepoint as a repository for similar content, but the concept is the same.
Education
Because software security is not taught at most computer science programs in college, professional engineers and developers often lack the necessarily skills to build secure software. To plug these holes and to ensure teams have the specialized skills that attackers have, each organization needs a foundation of knowledge and process guidance necessary to
- Design software securely
- Code defensively
- Conduct more effective assessments
- Get more utility out of tools
- Remediate vulnerabilities
- Improve standards and processes
A good training program should include
- Security awareness to understand what could happen if you don't consider security
- A baseline of secure coding principles • Training specific to the various development languages (ASP.Net, Java, C/C++, etc) and platforms (mobile, web, stand-alone, etc.).
- Technical training that's specific to job functions, such as architects, developers, QA/testers, etc.
Assessment
Assessment is how you find out if you are doing the right thing. Code reviews, application penetration tests, automated scanning tools (static and dynamic analysis) and the like allow you to audit software applications and your SDLC against standards and requirements. Be sure to not fall into the trap of just finding problems without learning the skills to fix them; more specifically, make improvements by analyzing your mistakes/problems. Assessment results provide a lot of great insight that can drive policy, standards, education and tools usage improvements.