It’s cold this morning in Minnesota so let’s step away to a warmer place. I mean beach warm. Picture it, you’re walking through the sand, the ocean before you. You find that perfect spot for your beach towel, set down your items and you take out your wallet, smartphone and keys.
Where do you put them? In the toe of your shoe, of course. Thieves never check there, right?
This is security at its simplest and it’s something we all do, just like we check over our shoulders at the ATM or draw a line as we write a check. These simple proactive measures — with no immediate threat — are proof that we value our personal security. And yet, in the workplace, when it comes to the security of our applications, we’re often late to add the proper protocols. To put the valuables in the toe of the shoe if you will.
It’s time for a change.
App security is a practice, not a milestone
Now wait, you say. What’s so important about application security that you had to pull me off my beach? In short: Plenty, because applications are becoming the beach of our technology-driven world. Simply put, everyone wants to be there and few of us have any control who’s there with us.
We trust our apps to carry company-sensitive data and guide client interactions, instances where security is a must. Yet many of us don’t take the steps necessary to shore up the inherent vulnerabilities in our apps, or who has access to them. Establishing an app security practice, however, allows us to:
- Reduce risk of breach from insecure software
- Meet compliance requirements
- Make secure software a competitive advantage
- Scale secure software development cost effectively
Testing early and throughout the entire life cycle — design, coding, building, testing, etc. — allows you to find bugs whenever they pop up and saves you the considerable costs of fixing these problems once the solution is finished. It’s better to put your best foot forward from the get-go, so let’s take a look at how you can do just that.
Implementing your application security toolset
Your application security process starts with identifying security flaws in your application code, vulnerabilities in the open source components and those configuration errors. These are the problems that will sink your security strategy from the very beginning, so it’s best to find them early. Automated tools are your friend here. They’ll ensure consistent identification to tackle those nagging problems.
Once the automated tools are set in place, you can move on to the human portion of your security strategy — specifically a manual review of the code and some functional testing. This process can be labor intensive, but integrating a toolset will reduce your costs and increase everyone’s productivity.
Now let’s put your plan in place.
Establishing your practice implementation roadmap
Successful implementation of your security practice doesn’t happen overnight. There are steps involved that must be solved. To bring your practice to life, you’ll need the following:
- Commitment from management and engineers. Without management’s approval to move forward and the engineers’ ability to execute, this proposal is going nowhere fast. You need them, no matter what.
- Define policy and metrics. A clear vision makes it easier for everyone. Define your policy now and you’ll reduce questions later.
- Baseline scan of applications. You can’t get where you’re going if you don’t know where you’ve been. Your baseline scan will show you the current lay of the land — so to speak — and can guide your future strategy.
- Develop a remediation and mitigation strategy. How will you mitigate problems, and if one arises, how will you remedy the situation? Once you determine your answers here, you may want to revisit your policy and metrics.
- Address findings and rescan. As you go through the process of applying security to every face of your app’s creation you’ll uncover new findings. Add these findings to your project requirements and design and then scan again. Scans can be automated with server plugins, and trust me, it’s always worth your time to scan, scan again.
- Ongoing compliance. An integrated development environment, or IDE, is your engineers’ one-stop shop for source code editing, debugging solutions and access to automated build tools. You can integrate your application security toolset into one if you want. I recommend you do. I’d also recommend you include an automated software composition analysis or SCA into your workflow as well.
- Automate security in your pipeline. Make security practice an integral part of your software release process. Always gate your commits, builds and/or deployments based on a criteria that includes application security aspects. Those few extra steps could pay off big time down the road.
Plan your testing strategy early
Sliding your wallet in your shoe at the beach is a last-second security measure. Your app’s security cannot afford to be a last-minute addition. Security should be at the forefront throughout the entire development life cycle. It’s the only way to ensure you’ll have an app that’s worth protecting when it’s all said and done.