In this article we will work a little with the concepts of Secure by Design in ASPM and how Application Security Posture Management platforms are influencing the security posture of applications.
At a time when we continue to see problems of data leaks and vulnerabilities in applications increasingly impacting businesses and companies, we need to look once again at the basic concepts and understand if we are getting the best out of them and if we have achieved even more vision of how mature our application is.
Therefore, looking at the development process and understanding some basic concepts is an important step so that development teams can increasingly build better code.
Secure by Design – Threat Modeling
Whenever we talk about application security, it is important, whenever possible, to look at the basic and fundamental concepts for development. One of these fundamentals is Secure by Design, and it is worth reviewing in this article what the main points are that we can learn.
In this sense, the most important and basic point when we talk about Secure by Design is to understand that the primary objective is for security thinking to be included throughout the application development process, starting at the very beginning of the process. With this vision, what is expected is to create more resilient and secure software, reducing the possibility of being affected by vulnerabilities.
One of the first concepts we can extract is Threat Modeling, and we’ve already talked about this topic a few times on our blog. It’s worth reading. But let’s make some points again about modeling and how it impacts the development process.
Conceptually, the process of performing threat modeling must be carried out in the initial phases of the application, even when we are designing the solution, and this helps development teams identify scenarios where the application may be exposed to threats. By being able to design these scenarios and understand what these possible threats would be, we were able to identify requirements, in this case, security, that will be important for the correct coding of the application.
Secure by Design – Security Testing
Another important concept within Secure by Design is security testing. Within the development process, tests must be carried out continuously, and throughout the entire development cycle, this point is important for building a secure application. The basic objective of these tests is to ensure the safe construction of the code.
Likewise, application testing can and should be carried out manually, and it is a more efficient model for identifying vulnerabilities or even improvements in the code. This does not mean that testing using tools is not adequate. On the contrary, the tools will offer the possibility of scaling the entire testing structure, thus guaranteeing the effectiveness of the testing process.
Secure by Design – Training and Awareness
Another important concept that I want to bring here, and that we have already talked about in some other articles here on the blog is training and awareness. Yes, this is a Secure by Design concept, and you will understand why.
We have already said that development teams need to use the best market practices to develop their applications. We also need to be aware and informed of new coding and exploration techniques, and this can be one of the biggest differentiators between a reactive team and a proactive team in software development.
Furthermore, guaranteeing development teams the possibility of learning and understanding what can be improved in the code is one of the most important investments that a development team manager can make. This can guarantee better results, and if aligned with other initiatives, It could be a turning point for many teams.
We could stay here for a while, talking more about other concepts present in the Secure by Design topic, but I want to stay with these three and then show how they can and are integrated into the ASPM concept, which we will see below.
ASPM: What it is and what it isn’t
Firstly, let’s understand what ASPM is not. I believe this will make it easier to understand the concept.
When we talk about ASPM, we are not talking about a tool or even a product. ASPM cannot be confused with a product. It is far beyond that, and thinking this way, in addition to being wrong, is very simplistic from the point of view of secure development maturity.
Also, ASPM is not a methodology nor even a set of practices. ASPM can be distinct from a methodology that must be applied to a structure or a process to structure in a way understood as appropriate. It’s not that.
Well, we got two big points out of the way that is today considered ASPM, but after all, what is ASPM?
ASPM: What is it, and how does it impact software development?
ASPM is a concept that platforms and tools use to structure and organize the security posture of applications. Following this principle, we can look at tools and understand whether what they give us is a vision
Gartner, in its article called “Innovation Insight for Application Security Posture Management,” brings us documentation rich in details that help us understand what tools or platforms use ASPM concepts and how they work.
As we can see, Orchestrate, Correlate, Prioritize, and Select, in addition to Risk Management, are points that are part of an ASPM tool. But here, it is important to clarify some points that may be confusing.
However, due to their integrative capacity, ASPM tools can be used as tools that help orchestrate testing tools throughout the development cycle. They also help correlate test results, for example.
Here, the term “correlate” cannot be understood as aligning logs and pointing out the sequence of actions, as SIEM tools do, for example. Here, the term correlate aims to intelligently understand which events identified in several sources can be the same.
Let’s go through a scenario. The same vulnerability was identified at two different times by different sources. ASPM tools must be intelligent enough to show that it is the same vulnerability, just identified in different sources.
However, helping and structuring the possibility of prioritizing and selecting the most critical components or vulnerabilities is also one of the characteristics of such tools, and this allows vulnerabilities to be treated appropriately and at the appropriate time within the vulnerability management process.
This connects with the last part, which is to allow the identified risks to be managed correctly, assigning the appropriate criticality.
This type of vision is what makes ASPM tools very important within the context of application security.
What is the role of ASPM tools for Secure by Design?
To bring this understanding, I will show how our platform integrates these concepts, but in order not to be too extensive, I will show some concepts being worked on within the platform.
Beforehand, the first point I want to address is the possibility of guaranteeing teams the possibility of building a set of requirements based on a modeling result. As we said, Threat Modeling will provide developers with the possibility, when identifying threat scenarios, to choose requirements that can mitigate these threats.
In our Secure by Design module, teams can structure a Threat Modeling project using the well-known CAPEC attack scenario structure as a basis, which makes it much easier to build scenarios that can affect the application being modeled.
In this sense, with these scenarios already created and the requirements identified, the platform itself already generates a structure, which we internally call Requirements, which will serve as a basis for development teams to plan the implementation of the requirements in a practical and structured way.
A second very important point in ASPM tools is to allow teams to maintain and acquire knowledge. Our platform provides this through our People and Culture module. The module allows developers the possibility of practicing their knowledge in situations that can help them understand a vulnerability and how it can be resolved.
What is important here is to understand that the module is not intended to provide development teams with a CTF (Capture the Flag) tool. It is much more than that. This module aims to provide practical and active knowledge acquisition.
Centralizing information and allowing it to be easily viewed are other features of ASPM tools. Here we have an example of this.
This facility allows everyone involved in the vulnerability management process to understand the vulnerability scenario of an asset or even a scope.
Integrations
The possibility of integrating several testing tools allows us to maintain the flow of continuous code testing, in addition to providing analysts who will carry out code review tests with important information about the possibility of vulnerabilities in specific parts of the code. With this information, it is possible for analysts to carry out a much more focused code analysis with the possibility of more efficient results.
In conclusion, we know that there are other Secure by Design concepts that we haven’t talked about here, but I want to show that ASPM tools should make it easier for development teams to create more secure applications and that good development concepts can, and should, be integrated into new platforms that aim to facilitate the developer’s activities.
And what do you think is important about ASPM tools?
