Outnumbered 100 to 1 by developers, AppSec needs a new model of agility to catch up and protect everything that needs to be secured.
In today's high-tech industries, security is struggling to keep up with rapidly changing production systems and the chaos that agile development introduces into workflows. Application security (AppSec) teams are fighting an uphill battle to gain visibility and control over their environments. Rather than invest their time in critical activities, teams are overwhelmed by gaps in visibility and tools to govern the process. As a result, many digital services remain improperly protected. To catch up, AppSec must adopt a model of agility that is compatible with software development.
The Case for Agility
The agile process continuously integrates small changes and collects meaningful feedback along the way, allowing an ever-progressing evolution of software. With small steps, you pay less for mistakes and learn a lot along the way. This approach, powered by continuous integration/continuous development (CI/CD), source code management (SCM), and an amazing array of collaboration tools, makes the software industry fast and powerful.
AppSec teams are charged with making sure software is safe. Yet, as the industry's productivity multiplied, AppSec experienced shortages in resources to cover basics like penetration testing and threat modeling. The AppSec community developed useful methodologies and tools — but outnumbered 100 to 1 by developers, AppSec simply cannot cover it all.
Software security (like all software engineering) is a highly complex process built upon layers of time-consuming, detail-oriented tasks. To move forward, AppSec must develop its own approach to organize, prioritize, measure, and scale its activity.
What Would Agile AppSec Look Like?
Agile approaches and tools emerged from recognizing the limitations of longstanding approaches to software development. However, AppSec's differences mean it can't simply copy software development. For example, bringing automated testing into CI/CD might overlook significant things. First, every asset delivered outside CI/CD will remain untested and require alternative AppSec processes, potentially leading to unmanaged risk and shadow assets. Second, when developers question the quality of a report, it creates friction between engineers and security, jeopardizing healthy cooperation. This applies to every aspect of AppSec, not just testing.
We need to dig deeper, examine the tenets of agility, and define an approach that overcomes limitations and helps master the chaos.
1. Stakeholders, Deliverables, and Sustainability
AppSec teams' attention is required at all layers of engineering, which often creates bottlenecks, even for teams with a clear focus. This motivates organizations to delegate security tasks to developers. Since AppSec is a resource-consuming discipline, delegating tasks is key to success. However, many organizations struggle with the complexity of ownership in AppSec. For example, automated security tools are merely guests in CI/CD and have varying levels of acceptance among developers, so things may fall between the cracks.
Furthermore, AppSec's role includes directing the organization strategically. As maturity-focused initiatives like BSIMM and SAMM argue, collecting the right data and publishing it to the right stakeholders promotes security simultaneously from the bottom up and the top down.
To become agile, AppSec must own measurement and governance while delivering services in a way that encourages developers to pull security to the left. AppSec agility requires breaking dependencies in anything related to posture measurement and governance and establishing sustainable, independent operations that set their own strategy and tactics.
2. Discovering Requirements
The potential disruption caused by releasing new software in enterprises encourages product teams to avoid assumptions and learn what works for users; there's a constant journey to discover requirements. While security requirements are clear on paper, with software proliferating so quickly, governance of the process becomes aspirational for most teams.
With regulatory and industry standards continuously evolving, AppSec must develop a rapidly agile ability to define the organization's security priorities.
3. People, Processes, and Tools
Agile development requires the cooperation of motivated and empowered individuals. The tools that helped development outpace AppSec, such as Git for working simultaneously on code, Jira for tracking complex plans, and Jenkins for optimizing and standardizing build, test, and deploy, are instrumental to agility. They allow users to invest less on peripheral tasks and move faster while benefiting from the insightful data they hold.
While there is no replacement for having a professional security architect, a razor-sharp pen tester, and a properly armed bug hunter, there is great promise in automated security testing and runtime protection. Instrumental to AppSec agility are systems that reduce menial tasks and utilize data from one activity to make another more effective.
Better, scalable AppSec requires better intel collection, measurement metrics, and orchestration. Teams must be able to allocate their talent well, using prescriptive metrics to guide prioritization. AppSec teams should be able to immediately know what assets they are protecting and which are most important. By making more security services accessible to the organization and providing leadership with actionable measurements, teams will be able to embrace systematic processes such as validated learning and lead their organization to maturity.
From Agile to Mature
The time has come for AppSec to operate at the level of the field it protects. This is the only way for AppSec teams to effectively do their job while providing the speedy production that keeps boards happy. AppSec teams deserve clearer workflows, more automation, and true visibility. Software engineers have learned to master machines and make them our friends. It is high time that application security did the same. Frankly, it can no longer afford not to.
*Originally published on Dark Reading