The biggest challenges in AppSec
In our twelve years of experience, Conviso has been able to detect and help solve a number of application security challenges faced by our customers. That’s why we have decided to address in this article a list of those we meet very often when talking about secure development process.
We are not going to deal at this time with issues such as vulnerability problems, scalability problems, or even tools. The idea of this article is to focus on some points that are often left aside, but strongly influence the security of applications.
Not that this is not important, but there are other concerns that need to be assessed.
Below we list the challenges that we understand all development team face to a greater or lesser degree, but which must be analyzed and carefully resolved.
We should not and can not leave aside technical issues and challenges, but many of these technical challenges have their origins in some or all of those listed here.
Let’s get to them.
One of the first points we want to raise is the change of mindset that should be cultivated in development teams. Cultural change is one of the greatest challenges you will face in this process.
We often believe that our developers have arrived at a level that nothing else can be learned, or even changed, and this is the result of a process that begins at the university.
Our developers are not prepared to think of a solution as a construction process, which must follow some phases. For a long time we were prepared to be executors, where we took a thought, a desire, and turned it into code.
This process was natural, and it didn’t have great difficulty in execution. We were trained to do this, and it is culturally impregnated in the training of the developer that thoughts other than building the code should be left to other professionals – this is what happens with security.
There will always be someone to test the application, why should I worry about that now?
This phrase was already very common, but thanks to a lot of effort and commitment, we have been able to change this view, showing that there are other points that should also be observed by developers.
We need to understand that changing our mindset and seeking to implement security from the very beginning of building an application is the best solution for us to reach a more secure software level.
Today we already have a more robust and security-focused vision. Development models and methodologies are already more strongly anchored in best development practices and we find more and more developers that are concerned with the secure development process.
A great victory!
Not sufficient knowledge
Seek knowledge, learn 1% more every day!
This is our goal at CONVISO, we always seek to learn more and improve our knowledge, and thus we can help our market more and more.
We want this thinking to spread throughout the market, we want a market of professionals focused on creating better solutions, all with a strong thought in security.
However, we have the opportunity to talk to many developers and other professionals from various areas who have never, for example, heard of OWASP. This for us is an indication that something is not being done in the right way.
Many of these professionals are WEB application developers and don’t know that OWASP or the Open Web Application Security Project – an international organization strongly dedicated to spreading the security for web applications exists since 2004, and provides free and very well developed material.
Whenever we work with a client, we try to understand what their pain is, what they really want to solve and often the answer is simplistic and given very quickly: “we want to solve our vulnerabilities!
The point is that most of the time the point is not this, we have to show the manager that just solving the vulnerability is not the solution, you are treating the effect and not the cause, which is often the lack of knowledge of the developer in best practices or even the vulnerabilities themselves.
Another example is that many of these developers do not know, for example, the OWASP TOP 10, is a report that is updated every 3 years and brings the 10 most present vulnerabilities in this period, this alone would help in more than 70% of the vulnerabilities.
However let’s take it easy. Saying that it’s the developer’s fault is also too simplistic and fast to express the problem.
This is much deeper, and comes from the professional’s training base, because when asked if he had any subject in his training focused on safe development, the answer is almost always the same: no.
On the other hand, it is not difficult to find managers who do not want to invest in training their professional, and do not know the importance of training and capacity building, a pity, we need to begin to understand that this investment is one of the most important to be made.
Think about it!
Look at this sentence:
“Everything will work out when we buy tool X!”
Have you heard that?
It’s more common than we can imagine. We often find companies where security solutions are strongly anchored in tools and in these companies there is a thought that “if we have these tools, we are safe.
A classic mistake of lack of understanding of the whole picture, is not seen in context, only in consequences. We believe that tools are important, we create, market and work with tools, but we don’t believe that they are the solution, but a support.
We believe that in the not too near future we will still be dependent on people’s creativity and genius. They are the basis of our process and, as such, they must be prepared for it – the tools are there to support.
Of course we believe that in a development belt we have to have integrations with tools that help in the development, or even in the process of discovery vulnerabilities, what we want to put is that we should not support our belief in this silver bullet, there is not such a thing in Application Security, everything has its place and its importance, is a set!
Finally I will leave here a sentence from Robert Statsinger, who is Senior Solutions Architect at Contrast Security, where he summarizes very well our thinking.
“Application security is something you do, not something you buy.” That is: Application Security is something you should run, not buy.
Lack of Knowledge in the Management process
Well, if we understand that the lack of knowledge is a problem that must be faced, we need to think about how to retain the knowledge that we create and that is produced within our company!
We need to ensure that when we solve a vulnerability, this knowledge is retained by the team and is available for future learning.
Many companies are not focusing on this, and even helping in the formation of their developers, they still lack a process that ensures that the knowledge is maintained in the company, even with the exit of some developers.
Many times managers worry about acquiring tools that cost hundreds of dollars to put in their structure, but they don’t have the same care with one of their team’s most precious assets, which is knowledge.
Using a tool that can provide this is fundamental to, within the secure development process, keep the knowledge recorded and easy to consult.
These tools do exist, from the simplest to the most complex, from free to paid, but not all vulnerability management tools can deliver both easily and simply.
Within the process of evolution in application security, ensuring knowledge is one of the most important phases and steps.
When we put knowledge management to work with the team training process, you can be sure that the results will always be positive.
Lack of professionals focused on AppSec
Traditionally the IT professional is understood as a “do it all” within the technology field.
When we talk about development the thinking is the same, because the developer in many companies needs to understand various aspects of the development process, becoming a “do it all”.
This is a problem that we find with a certain ease, it is expected that the developer in addition to coding do so correctly, without errors and without weaknesses or vulnerabilities.
Well, we know that nothing is 100% safe, and that a single professional will not be able to assume all the responsibilities within a complex process that involves many steps.
We need to understand that the best positioning is that within the development teams there is a professional focused on the best practices of safe development, working together with their peers the concept and principles of security.
This does not exclude the fact that everyone in the team needs this knowledge, but having this professional would already be one of the great steps to be taken.
This professional has a name, within the security circle he is known as the Security Champion, and his main goal is to bring to his peers the thought, knowledge and practices of AppSec.
We understand that this professional is one of the most important pieces in the whole process of secure development, he will be the glue that will unite everyone for a single goal.
The formation of a Security Champion is one of the easiest investments to bring results to companies and should be the focus of every development manager.
Therefore it was just precisely because of the difficulties and challenges in Application Security that Conviso created AppSec Flow, a platform that supports the entire security cycle in software development and vulnerability management.
AppSec Flow also helps to create mechanisms to standardize common work for security teams, such as testing and managing vulnerabilities.
Moreover, security ceases to be a bottleneck and becomes a continuous activity, integrated to the whole software development lifecycle, with the right analyses running at the right time, within the best practices and, above all, without reducing the speed of the company’s progress. That’s why we say Flow is a complete Continuous Application Security platform!