Sign in Subscribe
2 min read AppSec

No Bullsh*t guide to Application Security

Security is a process, not a destination. Which applies to Application Security also.
Let's quickly address common AppSec mistakes;

  • AppSec is not scanning in the CI/CD pipelines
  • AppSec is not security gates in the CI/CD pipelines
  • AppSec is not patching your dependencies
  • AppSec is not Vulnerability Management <– this cannot be stressed enough!
  • AppSec is not shift-left or DevSecOps
  • AppSec is not a set of tools

Finally, AppSec is not the same as Information Security, Security Operations, or Network Security. These and AppSec are all subcategories of Security in the same way apples and oranges are fruit.

The above are mostly misguided DevSecOps
These are results of the shift-left approach of an Information Security professional in your organisation thinking they are doing a good thing for Developers.

AppSec might be analogous to SecDevOps, where Security exists when writing code before anything DevOps happens - but even SecDevOps misses the point of applications running in production that need to be secured.

What is AppSec anyway?

Application Security is summed up as;

A process of avoiding defects when writing or running application code

It's that simple.

If I run tools to find vulnerabilities, isn't that AppSec?

No.

AppSec tooling does not find any vulnerabilities, no matter what name the tool chose to for its findings these tools, if they are truly AppSec tools, really only identify code Defects. Like any other defect in code, AppSec tools will also find defects.

Even if you want to call it a vulnerability, vulnerabilities are Defects that are also exploitable as an added characteristic.

Vulnerability or Defect?

It is important to make this distinction for an AppSec program because addressing defects are already part of the engineer normal activities, and if there is a QA (Quality Assurance) capability the organisation will have established a robust defect identification and remediation process that should already include security  issues like login related bugs and syntax related vulnerabilities.

AppSec must integrate with the existing defect remediation process of the organisation or suffer from a failure to be prioritised or even adopted by Engineers.

Getting Started with an AppSec Practice

Automating static analysis scans in the build process is a poor place to start. Period. Just want to make is very clear; Do not do  static analysis scans in the build process initially, do it when your confident about your Secure Code for assurance purposes!

Now we know what we are NOT doing first, where is a good place to start?

Continue reading the next post on How to start an AppSec Program

You may also be interested in a primer Guide to Application Security tools

Published by:

Stof

You might also like...

Sep
05
Unveiling the Myths of Multi-Factor Authentication

Unveiling the Myths of Multi-Factor Authentication

MFA refresher Multi-Factor Authentication (MFA) is a security practice that requires users to provide two or more distinct authentication factors
9 min read
Aug
24
Forget DevSecOps and ShiftLeft

Forget DevSecOps and ShiftLeft

🪄Integrating Security Seamlessly In this article, we're about to spill the beans on why this approach rocks, answer
4 min read
May
25

The Imperative of Persistent CSRF Tokens (Video)

A brief on Cross-Site Request Forgery Cross-Site Request Forgery (CSRF) attacks, capable of duping a user into performing an unintended
5 min read
Apr
06

JWT: A Cryptographic Love Story with Security, Vulnerabilities, and a State of Confusion

Folks, remember to be careful with your JWTs. Use strong cryptographic algorithms, manage those secret keys like they're
15 min read
Jun
30

JWT Patterns that provide real security benefits

Throughout this post we will keep an YUK WORD tally of things that are not security characteristics of JWT, that
15 min read

Member discussion