7 Best Practices for Modern AppSec Programs

Mend.io CEO Rami Sass, Jeff Martin, VP of product management, and CMO Arabella Hallawell recently sat down for a panel discussion on AppSec today. In this second of a two-part series, they get tactical, as they discuss seven best practices for building modern AppSec programs.?

1. Make AppSec dynamic

Jeff Martin: A lot of the development methodologies that are actually in practice for major application vendors are still old. The wall between development and security has to come down in the same way that the wall between development and QA came down many years ago. Because your software’s a living, breathing thing. It’s not static. It’s connected to everything else and it’s constantly changing. So, you can’t use those same processes, and AppSec is better enabled by modern tooling than the tooling we had five years ago.

2. Address the lack of processes

Arabella Hallawell: Many organizations don’t have either the tools or the processes to scan either custom code or open source, and they haven’t connected their dev teams and the security teams to implement some of these things.

I recently spoke with a large technology research organization and they said that open source functions and things like a full dependency health program just aren’t there. Yes, there are tools that can automate dependency updates and provide the information you need, but if you don’t have processes, they’re difficult to implement.

JM: Tools to automatically update dependencies certainly exist. We’ve got a great one, Mend Renovate. But the first thing you need to ensure you’re not introducing functional risk is automated testing. Sure, you can mitigate issues. Tools can tell you that a particular version of software has been used by others, it’s safe, and they aren’t having problems. But other processes don’t enable this. You need a capability like automated testing to check whether you have introduced functional risk when remediating security risk.

3. Overcome existing security debt

Rami Sass: Some of the organizations that are most successful at handling application security risk segregate their preexisting situation. They have some backlog or existing security debt. So, they start by making sure they’re not making matters worse with any updates. First, implement a process that ensures you don’t introduce any new application security risks, proactively keep your dependencies updated, and apply a high level of hygiene to your software. Then, gradually you’ll start reducing your security debt.

I think this is the most effective way to approach implementing a modern AppSec program. First, ensure you’re not doing any additional harm. Then go back and prioritize your biggest exposure, and tackle that. What you’ll find is with a relatively small investment in resources, you can start fixing 50, 60, and 70% of your risk before you hit the more complicated problems.

4. Prioritize prioritization

AH: It’s also worth highlighting that close to 85 percent of updates have already got a fix available before they’re published. So, if you get up to date on dependency health, you meaningfully narrow your attack surface. Some basic technologies should be adopted, including reachability analysis. This looks at all the issues that are found, identifies how many will actually reach your application, and what you can do to fix it. It’s still not as widely deployed as it should be, yet without it, security is so much more difficult than it has to be. If you map dependency health with reachability, you can become way more effective.

JM: Measurable prioritization is really important. How are you going to prioritize, and pick what matters to you as a business? Is a vulnerability really exposed to attack? Prioritize and fix what’s most necessary, not just what’s in front of you.

Then measure the success of what you’re using and what you’re doing. CEOs may see all those resources focused on security and they want to know what they’re getting for it. Without measurement in place, then it’s very hard to justify the spending, ask for more, or prove the value of your work. It all boils down to metrics.

Continue reading ?? https://go.mend.io/3JoBLIp