Start the year off right with this application security checklist

by | Dec 29, 2020 | Blog, Dx Learning

The number of data breaches almost doubled from 2019 to 2020, and in just Q1 of 2020 alone we saw a 273 percent increase in the number of data records exposed. 

While spending on information security as a whole was expected to see a small growth of 2.4 percent during 2020, was still a decline from the 8.7 percent growth that was predicted at the end of 2019 (before the pandemic hit). However, if we look at the specific categories that fall underneath information security, application security is among the top three areas of growth in terms of spending in 2020, with an estimated 6.2 percent increase. 

We are encouraged to see this, as we know how important application security is in reducing the risks associated with software vulnerabilities and and preventing data breaches. With attacks on the rise and a more remote workforce, AppSec (and all areas of information security) must become a focal point rather than an afterthought for all organizations.

In an effort to help companies plan for the coming year, we have compiled an application security checklist to help you create and maintain secure applications. 

2021 application security checklist

1. Create a truly DevSecOps approach 

The term “DevSecOps” is not new, but, in reality, it is not being implemented in its best form in many organizations. There are valid reasons for this. 

The Agile software development methodology demands that developers move fast. Rapid code releases make it difficult for security team members to keep up and properly test the code before the next release. Further compounding the problem is the fact that developers tend to outnumber security team members by a ratio of 100:1

Despite these challenges, the best-run companies are striving to achieve a true DevSecOps approach that incorporates security into the development process as soon as development begins. Benefits include a more secure end product, faster time to market, cost savings, and improved compliance. 

We have some tips on how to make the shift possible: 

  • Automate as much as possible—Use automated AppSec testing tools as much as you can. Run automated scans on the codebase to help security move more quickly. You can even set your automated scans to only run on the new code that was written since the previous test. 
  • Encourage collaboration between security and development teams—This is easier said than done, but there are ways to make it work. First, we encourage businesses to involve security team members early on in the development process. This not only creates a more collaborative relationship from the start, but it also saves time and money by creating a more secure application from day one (so there is less security work to be done further down the development pipeline, when things are more difficult to change).

    We also recommend using an AppSec workflow management tool that makes it easy for security and development teams to work together. Look for a tool that integrates with popular developer tools such as Azure DevOps, so AppSec analysts can assign remediation tasks out to developers and developers can work on them without having to leave their preferred working environment.
  • Educate and train developers—The more your developers know about AppSec, the more they will appreciate it and value its importance. Sessions should be held on a regular basis and should educate developers on any new vulnerabilities and AppSec techniques, so they are up to date on the latest AppSec trends and issues. Simple awareness training often leads to more secure code and a faster response when issues need to be remediated. 

Additional tips on this topic are available from our team here, and we suggest spending some time implementing all of these best practices in 2021. 

2. Put “fresh eyes” on manual code testing

Research suggests that the number of threats found by an AppSec tester gradually reduces over a period of five weeks. From there, it significantly declines after eight weeks. 

Your initial reaction may be to assume there are fewer vulnerabilities to find, but this is not necessarily the case (and not a safe assumption to make). It’s only natural that as a tester continues to review the same codebase, it becomes harder to find vulnerabilities. He or she simply becomes too familiar with the code and can’t see new issues popping up. 

While it may not be possible to assign new manual testers to all of your code, we suggest at least implementing this practice for higher priority sections of code that have a bigger impact on functionality and/or performance or that involve sensitive data. 

3. Use a combination of AppSec testing tools 

2021 is certainly not the first time we have stated this as a best practice, but no application security testing checklist is complete without this recommendation. One type of tool cannot provide comprehensive AppSec coverage. 

  • Static Application Security Testing (SAST) tools review the code line by line and test the application from the inside out. 
  • Dynamic Application Security Testing (DAST) tools attempt to penetrate the application from the outside, while it is running. 
  • Interactive Application Security Testing (IAST) tools run inside the application and look for vulnerabilities while the application is running.
  • Threat modeling tools help identify and prioritize threats and vulnerabilities within an application, so resources can be appropriately allocated.
  • Software Composition Analysis (SCA) tools analyze applications for third party and open source components to detect vulnerable code. 

Each type of tool adds significant value to the effectiveness of your AppSec program. A blended approach that combines the different types of AppSec tools (and even more than one of each type in most cases) yields the most effective and comprehensive AppSec coverage. 

While this may seem daunting, an AppSec management tool can streamline this process by correlating the results from AppSec scanning tools and deduplicating them. Findings are presented in a central hub, giving security a holistic view of application security in one central location. 

Our Code Dx tool even has a Triage Assistant that uses machine learning technology to predict which vulnerabilities are most critical. If you’re wondering just how much time this can save you, every 240 findings automatically categorized saves the equivalent of one week’s time of a full-time employee. This time savings adds very significant efficiencies to the AppSec process. 

4. Embrace Application Security Orchestration and Correlation (ASOC) 

ASOC is a newer category of AppSec created by Gartner in 2019, and organizations that haven’t yet implemented ASOC tools should make this a high priority for 2021. 

Gartner defines ASOC tools as those that “streamline software vulnerability testing and remediation by automating workflows. They automate security testing by ingesting data from multiple sources (static, dynamic, and interactive [SAST/ DAST/IAST], software composition analysis [SCA], vulnerability assessments, and others) into a database. ASOC tools correlate and analyze findings to centralize and prioritize remediation efforts. They act as a management layer between application development and security testing tools.” 

ASOC tools yield many benefits for the overall AppSec process, including: 

  • Improved DevSecOps efficiency—ASOC tools prioritize vulnerabilities and assign them a severity score, opening the door for a risk-based approach to application security. Security teams can ensure the biggest threats are addressed before the next release. Simple remediation tracking and management features ease the remediation process, allowing security and development to work together more efficiently.

    ASOC tools also provide metrics on such items as the rate at which vulnerabilities are introduced vs resolved, and the average number of days to resolution. Metrics empower CISOs and AppSec managers to identify trends and ways to improve the overall workflow of the AppSec process. 
  • A scalable approach to AppSec—As we mentioned earlier, AppSec struggles to keep up with the rapid code releases of development. ASOC tools overcome this struggle through:
    • Orchestration—Orchestration automates the scanning processes to ensure specific tools are always run at specific intervals, across multiple build servers. An ASOC tool automatically figures out the appropriate AppSec tools to run for a particular application, creating a consistent and standardized process for AppSec testing.
    • Correlation and deduplication—ASOC tools automatically correlate and deduplicate results from your AppSec scanning tools, including manual reviews, reducing the total number of issues to be assessed.
    • Prioritization—Smart automation and machine learning technology make sure the optimal mix of testing tools are run on a given application and identify high-priority vulnerabilities. The resulting noise reduction saves substantial time in the AppSec testing process.
    • Integration and centralized management—ASOC tools fit seamlessly into the Continuous Integration/Continuous Delivery (CI/CD) pipeline. AppSec analysts can securely manage tool credentials and application logins and have the ability to audit custom code, third-party components, and the network in a centralized system.
  • Improved AppSec accountability—Disjointed results from many AppSec testing tools leaves security team members with little to no situational awareness. On top of that, managers and executives often find it difficult to report on exactly how well AppSec is performing. ASOC solves the accountability problem for analysts and executives.

    A system of record serves as an auditable archive for all AppSec activity, while remediation tracking features allow managers to see detailed information on all remediation issues and where they stand at a given point in time. A single pane of glass view integrates information from all of the AppSec tools in use, providing centralized risk visibility, situational awareness, and continuous security monitoring.

    A risk score lets managers and executives get a quick sense of how well a particular project is performing in terms of security efforts, while the metrics dashboard offers a deeper dive into the work being done and trends over time. With all of the benefits of an ASOC tool, 2021 is certainly the year to implement one.

5. Re-evaluate your approach to AppSec on a periodic basis 

If nothing else, this year has taught us that we cannot always predict how the year will go. The application security landscape can change at any time. It pays to remain vigilant. AppSec team members, managers, and executives must work together to make sure everyone remains aware of emerging vulnerabilities and new AppSec tools and techniques that can further streamline the AppSec process without sacrificing quality or effectiveness. 

As application security moves up the priority list for organizations, it’s time to elevate your AppSec strategy so it can move as quickly as DevOps. Contact us today for a demo of the Code Dx ASOC platform to learn how it can help you check off all of the boxes on our application security checklist.