The mass shift to remote work caused by the COVID-19 pandemic has heightened the need for resilient app sec practices at many organizations.
In addition to dealing with the high volume and frequency with which applications are being released these days, application security teams now also have to contend with challenges tied to people working remotely and checking in code from every part of the globe.
With applications being released into production weekly, daily, and even hourly, the “sec” in DevSecOps has truly never been more relevant or critical. It’s time to make sure your app sec approach is cyber-resilient. Here are five areas to focus on.
Automation is critical to cyber-resilience. You need to leverage tools so the app sec solution is as touch-less and process-driven as possible. Ideally, anything that can be automated should be automated, and a resilient system will allow for that. In fact, a resilient system will not only allow for it, but will also drive the automation.
Imagine a future environment where, if you need to suddenly scan 1,000 apps, you can automatically spin up the number of scanners you need to handle that capacity. If the capacity changes and you no longer need that many scanners, your system is intelligent enough to figure that out and automatically bring the number down.
In a truly resilient system, automation will allow developers to write and commit code, and the scans just happen. You shouldn’t have to do anything. The system automatically removes things you can’t fix, things that aren’t important in your environment, or your KPIs and things of that nature. It’s almost like when you hit the gas pedal on your car. There’s a lot of stuff that goes on, but you don’t have to know anything the engine does other than it goes. That’s pretty powerful.
Ultimately, the goal should be to have code that fixes itself like a spell-checker. We are not there yet, but one day there will be enough smarts where you can trust the system to fix things on its own.
2. Have actionable results
Your app sec system should be focused on driving the actionability of test results. It should be centered on the things that you need to focus on today. Historically, app sec solutions have had a tendency to give you a laundry list of things to fix when what you really need is just a list of the issues that are pertinent to the organization and to you.
A resilient system will give you the 10 things that you need to fix today, not the 1,000 things that you might need to address over time. It uses intelligence to identify the issues that can affect or prevent you from going into production.
Actionability is part of automation. What it means is that a developer can write some code, while behind the scenes the code gets assessed and shows as quickly as possible the things that are pertinent and need to get fixed. It’s like going from a horse and buggy to a Tesla.
3. Support more frequent scans
Your ability to securely release code into production and your telemetry in terms of how quickly you can do it depends a lot on how often you are able to scan your apps. You need resilience in app security because you have more apps and you are scanning them more frequently. That puts a lot of pressure on the app sec team, developers, and the CISO.
A resilient system can handle as many scans as required, regardless whether just one or 500 times. While scalability is about many scanners and how many apps you have, frequency in a resilient system is about how often you can scan those apps.
For example, if you are using GitHub and you scan or commit 20 times a day, you need to have a system that is resilient enough to handle that frequency. It’s about having the burst capability to have more scans that you can turn on when you hit a threshold without having to call someone up or go find another product. You just, say, spin up another container in Docker, and you’re done.
4. Have breadth in your coverage
Modern web apps are very web services-driven, and the more web services and APIs you have, the more risk to your applications. Resilience is about having an app sec solution that not only addresses what you are doing now, but also has the flexibility and extensibility to meet the challenges of the future.
Your solution needs to be cloud-agnostic and have the flexibility to cover on-premises and SaaS environments. It should be able to rapidly support new languages and frameworks. Breadth of coverage means supporting the variety of languages that an enterprise needs to scan now and in the future. Most enterprises don’t have just .NET or Java—they have dozens of languages.
If you started as a .NET shop and you have static analysis capabilities for .NET, do you have the resilience to support Java if a new group comes in or if you acquire another company? Or will you need to go out and buy a whole new set of products? A resilient app sec system would just be able to scan those new apps, and you can simply decide whether you want to do a SaaS model or a cloud model.
5. Make sure it’s scalable
In a resilient system, you don’t have to add infrastructure to bring on more scanning capability. Your system would be cloud-agnostic and have the ability to spin up scanning servers on demand and spin them down just as easily when you don’t need them. In just a few minutes, you would be able to go from needing additional capacity to scan more apps to just turning on that additional capacity.
Licensing flexibility is critical to scalability. It needs to be flexible enough that you don’t have to buy another license every time you need additional capacity for static or dynamic testing. Your license should allow you to move back and forth based on need and scanning capacity.
Why cyber resilience is key
The latest version of Verizon’s annual Data Breach Investigations Report shows that web application vulnerabilities are a top target for cyber criminals. About 40% of the data breaches that Verizon investigated in 2019 in fact involved application vulnerabilities.
It’s clear: A strong application security program is critical to enterprise cyber resilience. Follow the guidance above to make the shift in your approach.