Application Security

What is Application Security?

Application Security (AppSec) defines engineering and assurance efforts to prioritise the security of software, integrated with development operations. Examples of this include the implementation of DevSecOps in DevOps environments, and applying security to all phases of the software development lifecycle (SDLC), with a secure software development lifecycle (SSDLC).

Application Security proactively integrates security with software development and testing practices to identify and resolve issues in applications, by implementing security configurations, automated testing tools, and streamlined reporting and analytics, to support the prioritisation of issues for remediation.

For a non-exhaustive list of the tech stacks Endure Secure supports, refer to our page here.

What is the Application Security Methodology?

An effective Application Security methodology:

• Meets business objectives for software security
• Addresses regulatory and legal requirements
• Dynamically identifies and tracks all software assets (i.e. repositories, software, and software dependencies)
• Comprehensively secures software at each phase of the software development lifecycle, and the technologies being used
• Creates little-no additional work for developers, aside from having to resolve identified issues (i.e. security tools breaking DevOps pipelines)
• Results in an increase of organisational effort to address security issues in software

Methodology

1. Understand business objectives for the AppSec Program
2. Ensure the organisation has adequate asset management, and if not consider how the organisation can improve knowledge or their assets.
   • Software asset management is quite difficult, some AppSec tools help increase awareness, but this should be considered alongside the rollout of DevSecOps in any environment. This especially applies to the generation and storage of Software/Application Bill of Materials (SBOM/ABOMs).
   • There is an open-source tool provided by OWASP for this called DependencyTrack, but for a more comprehensive tool that handles all major types of assets and risk, take a look at Coyote Risk and Asset Management.
3. Identify critical software assets, through exercises like threat modelling as risk assessments
4. Understand the security culture within the organisation, especially in terms of how developers operate. Determine how best to improve/sustain a focus on security for developers, which could include:
   • Targeted awareness training
   • 360° review (Penetration Testing + Code Review exercise)
   • Technical training on how to secure code in the language and framework used primarily by the developer (For example Secure Code Warrior)
5. Understand the primary IDEs that developers use for writing code, and integrate security features with those IDes, this is often referred to as Shift-Left security and Dev-First security. Including:
   • Local SAST (i.e. Snyk IDE)
   • Digital Signatures for git commits using GNU Privacy Guard (GPG) for increased integrity.
   • Strong authentication
   • Pre-Commit hooks
6. Scan repositories with automated tools (SAST, DAST, IAST, SCA) to identify common application security weaknesses missed by developers.
   • As part of step 6, utilise the same opportunity to update software assets.
   • Also, ensure vulnerability reports are being stored/updated properly.
7. Perform periodic, independent penetration testing, against critical, externally facing software assets.
8. Bug Bounty programs where appropriate, to drive public visibility and gain an ongoing focus on dynamic issues.
9. Review findings from automated testing tools, and independent penetration testing, to help prioritise remediation efforts.
   • For a tool to centrally track and manage findings from tools and penetration tests, OWASP provides DefectDojo for this purpose, and it can be integrated with DependencyTrack, mentioned above.

---