Today, it seems like every organization has become a software company.
The increasing dependence on automation demands that software survive and thrive despite an increasingly hostile environment.
Insecure code has become the leading security risk and, increasingly, the leading business risk as well. It’s irresponsible at every level to ignore this risk while doubling- down on anti-virus solutions and firewalls — neither of which protects applications.
Modern software development requires continuous application security to go along with continuous integration, continuous delivery, and continuous deployment. Unfortunately, even well-established application security programs often can’t operate at the speed and scale required.
The challenge in a nutshell is enabling an existing development pipeline to reliably produce secure software without creating roadblocks or even speedbumps.
The reality is that if security slows down innovation, it will be bypassed. Here are my 5 best practices for automating application security in modern software projects:
1. Choose application security tools for speed, ease-of-use, accuracy, and scalability.
Instant feedback and ease of use are critical. Application security tools need to be usable by people in development and operations without any security experience. Any inaccuracy will require an expert to resolve, and experts don’t scale.
2. Integrate security directly into your pipeline.
To shorten those feedback loops, look for tools that deliver results directly into tools you’re already using, like Slack, HipChat, JIRA, Maven, Jenkins, SIEM, and PagerDuty. Security issues should look and feel like any other kind of development or operations issues.
3. Detect vulnerabilities.
Modern software development demands high-speed feedback on vulnerabilities. Legacy static (SAST) and dynamic (DAST) scanners are difficult to automate and generate false alarms. Investigate the use of newer interactive (IAST) tools that assess your applications from within, using the latest instrumentation technology.
4. Protect against attacks.
Application attack protection isn’t just for defense against known attacks, it provides a fast and flexible way to block novel attacks that emerge. Legacy web application firewalls (WAF) create network architecture complexity and aren’t very accurate. Fortunately, runtime application self-protection (RASP) is gaining wide adoption for its flexible deployment and impressive accuracy.
5. Use threat intelligence and security research to improve your security architecture.
Using generic tools that search for “negative” coding patterns is a good start. But as you mature, you may want your tools to automatically enforce the security patterns you’ve chosen. This is a “positive” approach to security. Ultimately, you want to be able to automatically verify that all your applications have the right security defenses in place, that all the defenses are correct, and that they have been used in all the right places.
The good news is that it is possible to create a software pipeline that can enable you to reliably secure code and protect applications in operations. Modern application security tools can give you instant feedback on both vulnerabilities and attacks.