Caroline Wong

Fundamentally, application security is about designing, building, and maintaining secure software. Good software helps organizations, and bad software hurts organizations.

There are four main categories of application security activities: governance, finding security problems, fixing security problems, and preventing security problems. This essay will provide a high-level description of each of these four categories, with an emphasis on fixing security problems:

Governance

There are several high-level factors to consider when developing an application security program. These include compliance and regulatory requirements, contractual relationships with other organizations, and a solid understanding of what you’re supposed to be securing in the first place. It’s also important to define metrics up front so that the success of the program can be measured and demonstrated over time.

Finding security problems

There are many ways to find security problems at different points in any software development life cycle, whether an organization follows a waterfall, Agile, or DevOps methodology. Security testing types include threat modeling, code review, and penetration testing. A combination of manual and automated security testing is likely to result in the most efficient and effective identification of true positive security vulnerabilities in software applications.

Fixing security problems

Fixing security issues is not just a technical problem; people and processes are also required to get it done. Once security testing has been performed in order to find as many true positive issues as possible, the next step is to engage with the teams that can actually fix the issues. The quality of software does not improve until the problems are addressed or eliminated. Fixing security issues requires effective communication, coordination, and integration with development teams and processes.

Security teams must recognize that developers are focused on building new features and meeting deadlines and have limited bandwidth to remediate security issues. It is certainly not possible to fix all the security issues at once. They must be prioritized in the context of business values and goals and addressed over time.

I recommend that security teams get curious about development team priorities and look for areas of common interest. They should ask questions about how development teams work and how much time they have to realistically spend on fixing security issues.

One of the best ways to get security bugs fixed is to integrate with developer tools and processes. Security teams should ask about the tools developer teams use to do their work and the processes they follow to manage it. For example, how frequently do they release code? This should influence the frequency of security testing. What bug tracking system(s) are they using to manage bug fixes? Make sure security bugs are included and don’t get lost in separate systems or PDF reports.

Preventing security problems

The people who build software must understand why vulnerable code is insecure. Developers must be empowered with tech stack-specific knowledge and tools to help them avoid creating security bugs and flaws in the first place. Ideally, good programming practices and well-designed frameworks make it easier for developers to write secure software by default and harder for them to make mistakes. Cloud environments must be configured correctly to prevent security vulnerabilities from being exploited, and attacks must be discovered and stopped as early as possible to minimize damage.

The ways in which development and operations teams interact are changing, and security must keep pace. Security teams working effectively with DevOps teams, processes, and tools are absolutely critical to getting application security done right. Security teams sometimes place heavy emphasis on finding issues, without enough focus on engaging with the development teams and building the cross-functional relationships that are actually required to get security issues fixed.