A year ago, most of the hot topics in application security related to DevSecOps. Whether it was automating security testing in a continuous delivery pipeline, figuring out the best methods to involve developers more in security testing, or finding ways to get security professionals in a Security Operations Center (SOC) to better partner with development teams, making DevSecOps a reality was the talk of the town.
And then came the pandemic.
With the pandemic came an alarming rise in cyberattacks, particularly via ransomware. This underscored the need for DevSecOps to move from a “nice-to-have initiative” to an “essential program.” So, now that we’ve all said “good-bye” to a year that was much more challenging that we’d ever anticipated, what are the key things to look for in 2021 related to application security? I’m glad you asked.
QA joins the Security Party (Thank you, IAST!)
Many organizations have incorporated some form of automated security testing into their DevOps pipelines, and usually as part of a continuous integration build. This provides for better feedback to development teams earlier in their SDLC. But, for DevSecOps to reach the level of having high-quality secure software released at the speed of DevOps, security must be seen as an integral component of overall quality. In the same way that functionality and performance drive quality and user experience, security is now every bit as important.
We saw the beginning of this in 2020, as more QA professionals were being asked to conduct some form of security testing alongside other kinds of testing. Our Ponemon Institute study titled “Application Security in the DevOps Environment” had 11% of the more than 620 respondents reporting that their roles involved Quality Assurance.
And for organizations that are looking for ways to better involve QA in security testing, one great recommendation is to use Interactive Application Security Testing, or IAST. Interactive testing incorporates discovery of security vulnerabilities as applications are exercised. This means that while QA teams are conducting functional testing, they can be uncovering security issues at the same time. And the fact that these vulnerabilities are found as the application is being used means that the false positive rate is near zero.
Developer-Friendly Threat Modeling
Threat modeling was a topic that appeared often during DevOps related events in 2020. Sessions during the DevOps Enterprise Summit and the SAYA 10x event were just some of the many examples. And this was a topic that my colleague Colin Bell and I personally discussed at All Day DevOps and the Agile Techwell DevSecOps Summit. All of this affirmed the notion of involving developers more in threat modeling exercises as a way to increase security visibility and to better align development and security professionals.
And in late 2020, a collaborative threat modeling manifesto was announced to provide core values and principles for making threat modeling more effective. Here’s one of the core principles that’s mentioned in it:
“Threat modeling must align with an organization’s development practices and follow design changes in iterations that are each scoped to manageable portions of the system.”
Note the emphasis here is on alignment with development practices. The best way to do this is to incorporate developers into threat modeling exercises. Doing so provides at least two distinct benefits:
- Developers gain insight into the myriad ways that code can be compromised, which should lead directly to better coding practices.
- Security professionals gain insight into development pressures and practices, which should lead to better prioritization and management of vulnerabilities, particularly as it relates to managing a backlog.
If you are looking for ways to incorporate developers more into threat modeling, resources like the card games Elevation of Privilege (also on Github) and Backdoors & Breaches can be a great way to promote discussion and education in a fun, blameless environment.
Emerging Best Practices – Particularly for Open Source
Security has always been important, but with the move of so many business professionals to remote work, coupled with the already noted increases in cybercrime, security has moved from being a front-and-center topic for only CISOs to top-of-mind for everyone. As organizations adjust accordingly to reduce risk, doing so in a cost-effective and efficient manner is paramount.
Hence, a need for more best practices.
To be fair, there are many good application security best practices today – such as leveraging machine learning to identify false positives before presenting findings to development teams – but to date, most of these have focused on in-house code.
In this age of proliferation of open-source usage, there is now a need for defined best practices, techniques, reference architectures, education and training around open frameworks and code sharing. I expect this to increase greatly in 2021, and in fact, there is currently a group known as OSSF, or the Open Source Security Foundation that is working on precisely that effort. If you have an interest in contributing to the discussion, check out the workgroup on Github.
And if you are looking for another great resource for application security best practices, be sure to check out the new book “Alice & Bob Learn Application Security” from our friend Tanya Janca (@shehackspurple).
Real Entry-Levels and Defined Career Paths
Another area where I expect to see a lot more discussion in 2021 is around security-related careers, especially as it relates to entry-level positions.
We have all heard the statistics about the looming skills gap in cybersecurity. A real part of the problem is having realistic entry-level roles where people can learn and grow skills, coupled with the additional challenge of not having well-defined career paths for security expertise. A CISO friend of mine said it best when he was a guest on a recent podcast with David Spark:
“It’s very difficult for people in our position to sometimes even define what an entry-level role is. Because none of us had an entry-level security role. We were the first security guy and we made it up as we went along.”
And while there are many different certifications that exist today to demonstrate learned skills, many of these require considerable time, energy and effort to obtain. Some even require field experience, which generates a real “chicken and egg” problem.
The simple truth is that we need to do better. We need to partner with academia to ensure that the correct foundational skills are taught and that graduates have the necessary competencies to participate in cyber activities in meaningful entry-level roles. And then we have to be able to balance their individual needs to risk, fail, learn and grow as part of the process toward success, against acceptable risk tolerances of our organizations. Mentorships and apprenticeships can go a long way towards making that possible.
Application security matters and in 2021 we will continue our efforts to maximize the impact of continuous, metrics-based improvements on your Application Security Testing program. To learn more about what that means, listen to the Application Paranoia podcast, and check out our episode on IAST. This podcast is available on Apple Podcasts, Spotify, Google Podcasts and Buzzsprout, and follow us at @AppParanoia. You can also watch our Continuous Security webinar with my podcast colleagues Colin Bell and Kris Duer.