Cybersecurity

Why Application Security Is So Imperative

Robert WoodBy Updated:4 Mins Read
Application Security
Acceleration Economy Cybersecurity

Application security continues to increase in relevance and importance. MITRE recently released its list of the most relevant vulnerabilities in 2022, which is dominated by application-tier issues. The security industry has understandably put a lot of emphasis on issues that orbit around application security, for example:

  • Patching/updating, whether it’s servers, containers, or open source libraries.
  • Configuration of developer frameworks, underlying infrastructure, or other related technologies.
  • Identity and access management, how we verify users, authenticate them, and grant them access to the things they need.

The above issues, while important, do not address the custom-written code written by software teams to build products. I’m not referring here to the code consumed by other, third-party software teams (e.g., open source libraries or COTS tools that are packaged up and deployed). This code is, in my experience, where application security activities such as threat modeling, developer training, and static code analysis are instrumental to overall security outcomes.

Application Security Activities

Application security is sometimes conflated with or overly simplified to specific things, such as managing dependencies, pen-testing, or training developers. It includes those things, yes, but it’s a broader set of activities all centered around what it takes to build and operate resilient software. My personal opinions here are colored by my time spent in Cigital, which did nothing but application security, helping its customers across a range of industries build more secure software.

There are several maturity frameworks that discuss the range of activities in more detail and how they scale from initiation to mature capability, including BSIMM and the OWASP OpenSAMM. These models highlight the importance of looking at software from different angles and engaging in different layers of a technology stack.

Threat modeling can find things that penetration testing never will. Static analysis can find things that threat modeling never will. Software composition analysis can find things that security-focused linting never will. This holistic manner of application security activities helps find and manage a more expansive set of risks. More importantly, it reinforces a culture of building and operating secure software.

Solution Space

One of the challenging but simultaneously exciting things in the application security space is the emerging vendor solutions. Alongside this rise in vendor options, there’s a shift from catering to the security team member to building tools that cater to the developer experience while aiming to produce a security outcome. Exciting examples here include Hashicorp and R2C’s Semgrep.

One of the reasons developer experience is so critical in this area is that software is so frequently directly associated with a value center in an organization. Tools that break builds, excessively slow down developer velocity, or break functionality in production environments are quickly stripped out by development teams.

This very real dynamic highlights the imperative for security teams to maintain that enabler focus — the need to be constantly mindful of the fact that security is not the primary mission or goal of the organization or a given team. If security teams can help developers do their jobs more effectively, they will have a much higher likelihood of succeeding. This needs to be front and center for every single tool selection and evaluation happening in this area.

My advice to other security professionals often includes trying to engage developers to be parts of pilots or part of an evaluation team, and aim to create ownership in the decision.

Concluding Thoughts

Application security is not going away anytime soon. If anything, it’s only going to grow in relevance as software eats the world. Security leaders need to be mindful of the range of activities relating to building secure software. There are multiple points at which security can be woven into a development lifecycle.

There are also considerations around the amount of friction manageable within the developer flow. Too much will kill productivity and cause frustration. Done well, though, application security programs can be powerful enabling functions that simultaneously reduce the risk of running insecure software.

Want more cybersecurity insights? Visit the Cybersecurity channel:

Acceleration Economy Cybersecurity

Share.

Robert Wood is an Acceleration Economy Analyst focusing on Cybersecurity. He has led the development of multiple cybersecurity programs from the ground up at startups across the healthcare, cyber security, and digital marketing industries. Between experience with startups and application security consulting he has both leadership and hands on experience across technical domains such as the cloud, containers, DevSecOps, quantitative risk assessments, and more. Robert has a deep interest in the soft skills side of cybersecurity leadership, workforce development, communication and budget and strategy alignment. He is currently a Federal Civilian for an Executive Branch Agency and his views are his own, not representing that of the U.S. Government or any agency.

Related Posts

Add A Comment

Comments are closed.