Security must mature to keep up with development

Over a decade ago, the Agile method transformed how software engineers overcome the industry’s constant cycle of disruption and progress. Since then, we’ve seen the addition of DevOps, cloud, and AI empowering distributed development teams to build software with greater speed and autonomy.

Software solutions have proliferated as a result, and although this has led to extraordinary enterprise growth, narrow commercial focus on application output has come at the expense of security. Since software “ate the world”, the resulting security gaps and potential for business risk have reached critical mass.

Despite wide adoption by enterprise organizations to catch potential risk earlier in the software development lifecycle, security is still playing catchup, unable to reach the same levels of maturity and speed as development. AppSec teams fight an uphill battle to gain visibility and control over their environments, working off incomplete information, and relying on chance to catch incidents. Rather than invest their time in design reviews, threat modeling, code reviews, and penetration tests, security practitioners are hunting down critical pieces of missing information and identifying new applications and ownership.

To catch up, the AppSec world must transition from a model of chasing vulnerabilities to managing business-critical risk. Outnumbered 100 to 1 by developers, AppSec will never be able to win in the game of vulnerability whack-a-mole. AppSec teams must adopt a risk-based AppSec model, ASPM (application security posture management) to focus on tackling the most business-critical software risk.

The case for a risk-based approach

As a CISO of a large retail company elegantly put it when describing the risk-based approach to AppSec chaos: “I don’t manage vulnerabilities, I manage business risk.”

AppSec has plenty of comprehensive methodologies and tools for identifying vulnerabilities, protecting against attacks, and detecting hostile activity. However, issues of visibility, manageability, and scalability of application security remain unaddressed—leaving blind spots and creating chaos. Like the rest of software engineering, software security is a delicate, highly intricate process built upon layers of time-consuming, highly detail-oriented, and often menial tasks. The only way for AppSec to move forward is to find its independence and its own mature approach to identify, prioritize, and measure those tasks as a discipline. 

People, processes, and tools

Agile software development principles are based on the recognition that healthy cooperation of motivated and empowered individuals is of top importance. This encourages teams to build a lean process, and work in short iterative cycles, to quickly adapt and develop the products they are building. The tools that helped development outpace AppSec—such as Git for collaborative coding, Jira for tracking complex plans, and Jenkins for optimizing build, test, and deploy—are instrumental to agility, as they allow their users to not only invest less on tasks that are peripheral to software development and move faster, but also to benefit from the insightful data emitted by these systems.

While there is no replacement for a professional security architect, a razor-sharp pentester, and properly armed bug hunters, there is great promise in automatable activities such as software composition analysis, properly calibrated static code analysis, and relentless dynamic analysis. Instrumental to AppSec agility are systems that are designed to effortlessly collaborate on the task, enrich data, and simplify manual operation.

Aside from performing the above-mentioned activities, AppSec requires better intel collection, better measurement metrics, and better orchestration. Teams must be able to allocate their talent well, using prescriptive metrics to guide the prioritization of their time and funds. AppSec teams should be able to immediately know what assets they are protecting, and which of these assets they care about most. By acquiring the ability to make more and more security services accessible to the organization, and providing executives and management with actionable posture measurements, teams will be able to lead their organization to maturity.