Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Quick Tips for Building an Effective AppSec Program – Part 2
In my last blog post, I talked about what an application security (AppSec) program is and how an organization would go about building a formal program to secure their internally-developed applications, as well as third-party applications they have or will be deploying. I touched on the importance of creating an application catalog, aligning with one of several industry AppSec frameworks, and having a solid understanding of your application architecture, that, together, can form the necessary foundation for a formal program.
In this post, I’ll discuss how you should be thinking about the various toolchains you’ve already deployed or are thinking about deploying, as well as defect tracking and vulnerability management processes to help your AppSec and development teams stay on top of remediation efforts across your application environment in an efficient and programmatic way. So let’s start with assessment toolchains.
Assessment tools must be carefully chosen, sensibly configured, and properly integrated into the SDLC to be effective. The end goal is to build a reliable and trustworthy set of processes that gives sufficiently wide and deep scan coverage across the application portfolio.
Knowing the capabilities and limitations of your static, dynamic, and interactive application security tools will enable you to identify and fill gaps with other technologies. For example, functional testing tools such as Selenium may be leveraged for added coverage.
It’s important to note that relying on automated tools alone may provide a false sense of security. According to OWASP, “Security vulnerabilities can be quite complex and deeply buried in code. In many cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with advanced tools.”
See https://www.optiv.com/blog/secure-sdlc-lessons-learned-2-assessment-toolchain/ for more information.
Results from the assessment toolchain are typically fed into defect tracking systems. By recording the source/stage where each vulnerability was identified, and by what tool, your organization can better measure the effectiveness of these tools and the program as a whole.
For organizations leveraging more than one assessment tool, consolidating scan results to a centralized vulnerability management system is essential. Defect merging, de-duplication, and normalization can be automated through data rules to quickly assign bug ownership to the proper teams for remediation.
As AppSec programs mature, organizations tend to rely less on severity ratings from tools and more on their own weighted risk classification system. A properly designed and integrated defect tracking system, aligned with risk management objectives, will facilitate prioritized defect remediation and support vulnerability and knowledge management activities.
Application vulnerability management is defined as the post-identification response to handling reported software security issues. Operationally, it is the process of remediating or mitigating risk at the application platform, framework and component levels. Sources of reported vulnerabilities may include the assessment toolchain, software composition analysis tools, internal teams, external entities and incident response units. Clear lines of responsibility should be defined by security policy to hold appropriate teams accountable for application vulnerability management.
Organizations now require deep visibility into their various application environments (dev, test, stage, production) to be able to prevent and quickly respond to vulnerabilities. Those that leverage automation and orchestration technologies are much better equipped to realize this objective.
There are many other activities that can contribute to the success of an AppSec program, such as metrics and security training. I’ll explore these and more in my next post.
Here's a review of related posts on this series:
Let us know what you need, and we will have an Optiv professional contact you shortly.