Skip to main content

Quick Tips for Building an Effective AppSec Program – Part 2

May 02, 2018

In my last blog post, I talked about what an application security (AppSec) program is and how an organization would go about building a formal program to secure their internally-developed applications, as well as third-party applications they have or will be deploying. I touched on the importance of creating an application catalog, aligning with one of several industry AppSec frameworks, and having a solid understanding of your application architecture, that, together, can form the necessary foundation for a formal program. 

App Sec Quick Tips

In this post, I’ll discuss how you should be thinking about the various toolchains you’ve already deployed or are thinking about deploying, as well as defect tracking and vulnerability management processes to help your AppSec and development teams stay on top of remediation efforts across your application environment in an efficient and programmatic way. So let’s start with assessment toolchains.

Assessment Toolchain

Assessment tools must be carefully chosen, sensibly configured, and properly integrated into the SDLC to be effective. The end goal is to build a reliable and trustworthy set of processes that gives sufficiently wide and deep scan coverage across the application portfolio.

Knowing the capabilities and limitations of your static, dynamic, and interactive application security tools will enable you to identify and fill gaps with other technologies. For example, functional testing tools such as Selenium may be leveraged for added coverage.

It’s important to note that relying on automated tools alone may provide a false sense of security. According to OWASP, “Security vulnerabilities can be quite complex and deeply buried in code. In many cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with advanced tools.” 

See https://www.optiv.com/blog/secure-sdlc-lessons-learned-2-assessment-toolchain/ for more information.

Defect Tracking and Remediation

Results from the assessment toolchain are typically fed into defect tracking systems. By recording the source/stage where each vulnerability was identified, and by what tool, your organization can better measure the effectiveness of these tools and the program as a whole.

For organizations leveraging more than one assessment tool, consolidating scan results to a centralized vulnerability management system is essential. Defect merging, de-duplication, and normalization can be automated through data rules to quickly assign bug ownership to the proper teams for remediation.

As AppSec programs mature, organizations tend to rely less on severity ratings from tools and more on their own weighted risk classification system. A properly designed and integrated defect tracking system, aligned with risk management objectives, will facilitate prioritized defect remediation and support vulnerability and knowledge management activities.

Vulnerability Management

Application vulnerability management is defined as the post-identification response to handling reported software security issues. Operationally, it is the process of remediating or mitigating risk at the application platform, framework and component levels. Sources of reported vulnerabilities may include the assessment toolchain, software composition analysis tools, internal teams, external entities and incident response units. Clear lines of responsibility should be defined by security policy to hold appropriate teams accountable for application vulnerability management. 

Organizations now require deep visibility into their various application environments (dev, test, stage, production) to be able to prevent and quickly respond to vulnerabilities. Those that leverage automation and orchestration technologies are much better equipped to realize this objective. 

There are many other activities that can contribute to the success of an AppSec program, such as metrics and security training. I’ll explore these and more in my next post. 


    Shawn Asmus

By: Shawn Asmus

Practice Manager, Application Security, CISSP, CCSP, OSCP

See More

Related Blogs

June 07, 2018

Quick Tips for Building an Effective AppSec Program – Part 3

This is the last post in my series on creating an effective AppSec program within your organization. In my last post, we discussed the importance of t...

See Details

April 20, 2017

Secure SDLC Lessons Learned: #5 Personnel

t’s no secret that finding and retaining dependable, well-trained application security professionals is a serious challenge, and has been for years. P...

See Details

March 14, 2018

Observations on Smoke Tests – Part 1

Smoke testing in the traditional definition is most often used to assess the functionality of key software features to determine if they work or perfo...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.