Security is a process, not a destination. Which applies to Application Security also.
Let's quickly address common AppSec mistakes;
- AppSec is not scanning in the CI/CD pipelines
- AppSec is not security gates in the CI/CD pipelines
- AppSec is not patching your dependencies
- AppSec is not Vulnerability Management <– this cannot be stressed enough!
- AppSec is not shift-left or DevSecOps
- AppSec is not a set of tools
Finally, AppSec is not the same as Information Security, Security Operations, or Network Security. These and AppSec are all subcategories of Security in the same way apples and oranges are fruit.
The above are mostly misguided DevSecOps
These are results of the shift-left approach of an Information Security professional in your organisation thinking they are doing a good thing for Developers.
AppSec might be analogous to SecDevOps, where Security exists when writing code before anything DevOps happens - but even SecDevOps misses the point of applications running in production that need to be secured.
What is AppSec anyway?
Application Security is summed up as;
A process of avoiding defects when writing or running application code
It's that simple.
If I run tools to find vulnerabilities, isn't that AppSec?
AppSec tooling does not find any vulnerabilities, no matter what name the tool chose to for its findings these tools, if they are truly AppSec tools, really only identify code Defects. Like any other defect in code, AppSec tools will also find defects.
Even if you want to call it a vulnerability, vulnerabilities are Defects that are also exploitable as an added characteristic.
It is important to make this distinction for an AppSec program because addressing defects are already part of the engineer normal activities, and if there is a QA (Quality Assurance) capability the organisation will have established a robust defect identification and remediation process that should already include security issues like login related bugs and syntax related vulnerabilities.
AppSec must integrate with the existing defect remediation process of the organisation or suffer from a failure to be prioritised or even adopted by Engineers.
Getting Started with an AppSec Practice
Automating static analysis scans in the build process is a poor place to start. Period. Just want to make is very clear; Do not do static analysis scans in the build process initially, do it when your confident about your Secure Code for assurance purposes!
Now we know what we are NOT doing first, where is a good place to start?
Continue reading the next post on How to start an AppSec Program
You may also be interested in a primer Guide to Application Security tools