Editor's note: This is part two of a series on building an application security program. Part one examined how to get started and what role static testing and dynamic testing play in these programs.
During the recent OWASP AppSec Europe 2016 conference in Rome, a number of attendees pointed to the increased awareness of the growing need for building an application security program. Unlike many conferences where it's mostly security professionals speaking to other security professionals, AppSec Europe drew many enterprise and commercial software developers and software engineers from outside the security field.
"We're seeing engineers becoming aware of the problem, and they are beginning to drive the management team to look at SSDLC (secure software development lifecyle), not the other way around," said Matteo Meucci, CEO of Minded Security. "Management should embrace this and empower their engineers to learn about application security."
Tony Luzza, director of international channel sales at risk analysis firm Security Innovation agreed that education needs to start with the SSDLC. "The goal is to get the engineers trained to secure the code at the beginning of the SSDLC," Luzza said, and to bring the training into the daily activities of the job.
"Application security is a process," Meucci said. "It's more than just writing secure software and it's not just validating the software is secure prior to release. It's a team effort where the whole team is responsible for the security of the software."
Software automation and security firm Sonatype suggests that managers give their developers early feedback about the code they've written -- as well as code they have acquired from contractors, vendors and the open source community. When there are problems, the approach is to let developers know right away that the code is not acceptable -- and fix it immediately, before the developer moves onto the next task.
Amit Ashbel, director of product marketing at application testing firm Checkmarx, agreed and said static testing of code can be beneficial to this process. "Static testing is needed at the development and quality assurance stages," Ashbel said, "and requires skills by the developers, since they are looking at security issues and fixing them while they are writing the code."
Tony LuzzaSecurity Innovation
Prerelease testing using dynamic testing and penetration testing can be helpful, but it can be hard for developers to understand the root causes of a security failure at this stage. That adds to the cost and time, and of course, may result in a potential fix that actually fails the next set of security tests.
"Several of my larger customers who have invested heavily in developer security training have reported to me an immediate and measurable decrease in discovered vulnerabilities among those teams," said Jim Manico, co-founder of Manicode Security, which specializes in secure coding practices. "I find that companies [that] take developer training the most seriously gain the most benefit."
An application security program can require more than just coding practices.
"We actually view software development as software manufacturing," said Ilkka Turunen, solutions architect at Sonatype, connecting the two paradigms by describing how multiple parts are developed by contractors and vendors, supported by a supply chain and assembled to deliver new functionality.
In that type of environment, Luzza said, the engineering teams and development shops won't be proactive in security. Rather, security policies and requirements will be dictated by the company hiring them. "However, the company's name is on and behind the final product, and that means the customer can request -- or require -- that their contractors' coders must take and pass a certain number of security training modules."
For example, Luzza said, the top trainings could include:
- OWASP Top 10
- Secure software design
- A code module -- security for Java, C++, etc.
- A secure platform module (e.g., mobile security)
Ultimately, it's about starting with simple secure software development design and a set of coding best practices that you are comfortable with as an organization. "Start with general awareness -- then build on deeper, intense application security," added Luzza.
As you start at the very beginning with an application security program, conduct the Software Assurance Maturity Model analysis, get awareness and training in place and consider getting help from security assessment firms to fill in the gaps. The beginning, after all, is a very good place to start -- but it's only the beginning of the application security journey.
Find out how military defense in depth strategies can benefit enterprises
Read more on the value of security tabletop exercises
Discover how enterprises can improve their information security culture