Practice Manager, Application Security, CISSP, CCSP, OSCP
Shawn Asmus is a practice manager with Optiv’s application security team. In this role he specializes in strategic and advanced AppSec program services and lends technical expertise where needed. Shawn has presented at a number of national, regional and local security seminars and conferences.
Quick Tips for Building an Effective AppSec Program – Part 2
In my last blog post, I talked about what an application security (AppSec) program is and how an organization would go about building a formal program to secure their internally-developed applications, as well as third-party applications they have or will be deploying. I touched on the importance of creating an application catalog, aligning with one of several industry AppSec frameworks, and having a solid understanding of your application architecture, that, together, can form the necessary foundation for a formal program.
In this post, I’ll discuss how you should be thinking about the various toolchains you’ve already deployed or are thinking about deploying, as well as defect tracking and vulnerability management processes to help your AppSec and development teams stay on top of remediation efforts across your application environment in an efficient and programmatic way. So let’s start with assessment toolchains.
Assessment tools must be carefully chosen, sensibly configured, and properly integrated into the SDLC to be effective. The end goal is to build a reliable and trustworthy set of processes that gives sufficiently wide and deep scan coverage across the application portfolio.
Knowing the capabilities and limitations of your static, dynamic, and interactive application security tools will enable you to identify and fill gaps with other technologies. For example, functional testing tools such as Selenium may be leveraged for added coverage.
It’s important to note that relying on automated tools alone may provide a false sense of security. According to OWASP, “Security vulnerabilities can be quite complex and deeply buried in code. In many cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with advanced tools.”
See https://www.optiv.com/blog/secure-sdlc-lessons-learned-2-assessment-toolchain/ for more information.
Defect Tracking and Remediation
Results from the assessment toolchain are typically fed into defect tracking systems. By recording the source/stage where each vulnerability was identified, and by what tool, your organization can better measure the effectiveness of these tools and the program as a whole.
For organizations leveraging more than one assessment tool, consolidating scan results to a centralized vulnerability management system is essential. Defect merging, de-duplication, and normalization can be automated through data rules to quickly assign bug ownership to the proper teams for remediation.
As AppSec programs mature, organizations tend to rely less on severity ratings from tools and more on their own weighted risk classification system. A properly designed and integrated defect tracking system, aligned with risk management objectives, will facilitate prioritized defect remediation and support vulnerability and knowledge management activities.
Application vulnerability management is defined as the post-identification response to handling reported software security issues. Operationally, it is the process of remediating or mitigating risk at the application platform, framework and component levels. Sources of reported vulnerabilities may include the assessment toolchain, software composition analysis tools, internal teams, external entities and incident response units. Clear lines of responsibility should be defined by security policy to hold appropriate teams accountable for application vulnerability management.
Organizations now require deep visibility into their various application environments (dev, test, stage, production) to be able to prevent and quickly respond to vulnerabilities. Those that leverage automation and orchestration technologies are much better equipped to realize this objective.
There are many other activities that can contribute to the success of an AppSec program, such as metrics and security training. I’ll explore these and more in my next post.