For companies that provide applications to their customers, keeping those applications secure is a must. Setting up an application security program is the next logical step, but there are many choices to be made when trying to make it as effective as possible.
There are many different ways to “do” application security
There are many application security controls, and none is inherently better than another, but security professionals should definitely be aware of the various options available and pick the best one for their specific security requirements and business needs.
“Most organizations have a set budget allocated for application security and want to use it to optimize quality and coverage. I recommend evaluating different application security control options according to three key factors: scalability, coverage, and ease of use,” Caroline Wong, Vice President of Security Strategy at Cobalt.io, advises.
The modern threat and development landscape should also have a considerable influence on their application security decisions. For example, web applications have become much more complex over the past decade or so.
“Applications are moving to the cloud, and no longer consist of just a simple HTML page. Today’s web applications are also increasingly API-driven and as an API ‘speaks’ the language of the business, the application requires more business understanding to perform an adequate security test. Security professionals are finding that standard scanning technologies do not understand business logic and must be highly customized in order to be effective,” she explains.
Another example is agile development: code being deployed faster and faster.
“There’s a new demand for manual penetration testing, and doing a pen test once a year simply isn’t good enough,” she notes. “Today’s requirements for an application security penetration test include cost that will enable higher frequency testing and greater coverage across an application portfolio, access to quality talent who can perform manual testing, and strong integration with development processes in order to get issues fixed.”
Setting purposeful application security objectives
Most company leaders are not application security experts, and therefore don’t know what questions to ask about application security.
Application security professionals can help their leaders to make educated decisions about investment and resource allocation for activities like penetration testing, by positioning objectives in Goal-Question-Metric form.
- Goal: An organization should conduct a penetration test on every critical web application, mobile application, and API in its software portfolio.
- Question: What percentage of critical applications have been penetration tested in the last 12 months?
- Metric: % = # critical applications tested / total # critical applications in portfolio.
Decisions can then be made based on evidence, instead of opinion or anecdotes.
Avoiding the most common pitfalls
In her role as security strategist and former role as a management consultant, Wong has seen more than three dozen application security programs over the past few years.
One of the biggest pitfalls that she has observed is an emphasis on defect discovery to find security issues, without sufficient focus on the processes and cross functional relationships that are required to actually get those issues fixed.
Once an organization has completed an application security penetration test, the next step is to communicate the results to the developer team, help the developers prioritize the fixes, get them to remediate the issues, and ideally prevent the same issues from coming up again.
“Some application security folks are very good at finding and facilitating the finding of security bugs and flaws, but it takes a developer to change the code and fix the issues,” she points out.
“Application security professionals must learn about and integrate with existing development processes in order to achieve the primary goals of application security – higher quality, more secure code.”