Application security is on the top of everyone’s todo list, and it isn’t as easy as it seems. There are lots of moving parts supported by lots of solutions. We know it is not possible to do everything. James Jardine, our CEO, put together a webcast the other day with a few different things you can do to help improve your application security program.
You might be surprised by the list, since it does not deal directly with the traditional recommendations of static or dynamic analyzers or threat modeling. Instead, he takes a higher level approach to look at how the program as a whole can be improved. Here is a quick rundown of the list (watch the free video for much more insight):
Getting the App Teams Involved
Neither the security teams or the applications can do it all alone. Although many may not want to admit it, we need each other. Traditionally, I have seen security teams trying to take on too much of the burden when it comes to tools and security aspects of an application. Unfortunately, they usually do not have the required skillets or the access to fix many of the issues that are identified. It is important to start getting the application teams, that includes the developers, business analysts, testers, and others all involved with the security of the application. Application security is everyone in the company’s responsibility. The app teams are capable of managing tools like static and dynamic analyzers and even doing some level of security testing. The critical first step in this process is having good solid communication and collaboration between the different teams.
Identify Skill-sets and Resources
Building on the process of getting the application teams involved, we need to understand what resources and skillets we currently have in our organization. Take the time to evaluate your resources to understand what is available. In addition, you need to understand what skillets you need for your tasks. There may be specific technical skill sets, like a specific programming language, or they may be management type skill sets you need. This is where the hard work comes in. It requires you to really understand what your goals are to help determine how you will get there. Once the lists are compiled, it is easier to identify which skill-sets or resources are in need. This leads us to the ability to then determine how we gain those skill-sets. It may be through hiring new resources, or it might just be that you need to provide some training to existing resources. Without having a solid understanding of what you want, you may find yourself hiring resources that don’t help move the program forward.
Training
Training is very important, in fact, it is a must have for the different teams. With the traditional separation of security and development, development doesn’t have as much security experience or training. As you move towards getting more application team involvement, training is the foundation to build upon. The team must have the resources to understand security at a high enough level to be efficient at the tasks they are responsible for. Don’t expect better application security if the teams are not getting the support they need.
Application Inventory
Do you have an application inventory where you track all of your applications? For most companies the answer is no, or we track some applications but they are not kept up to date. An application inventory helps quickly identify the applications, their data classifications, 3rd party library usage, and much more. With the reliance on so many 3rd party libraries, this can be useful when a library is found to be vulnerable. How do you know if it effects your applications or which ones? How do you know which apps have had penetration tests, or are even required too. The application inventory plays a key role in helping understand these decisions.
Policies and Procedures
Last, but not least, do you have policies and procedures in place regarding application security. These policies are what guide the teams into performing better security. If there are no guidelines in place, you can be sure that it will be much more difficult to get good compliance. Take the time to create the policies you need to help define how application security should be handled. Extend those policies and guidelines out to different pieces, such as static or dynamic scanning. How should those tools be used, who is responsible, when should they be executed. Defining the program helps guide the roadmap to an improved application security program.
Jardine Software focuses on helping companies retrieve more value out of their programs. Contact us to discuss your concerns and understand how we can help improve your application security program.
James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.