Maintaining your AppSec program through office closures and economic uncertainty
Here are three ways application security teams can respond to staffing challenges and increased security risks today while strengthening their AppSec program for the future.
Organizations right now are facing the prospect of months of staffing and business continuity challenges. At the same time, cyber attacks by opportunistic hackers and cyber crime groups looking to profit or further disrupt society are increasing. Application security teams have to ensure the software they build and operate is secure against these increasing attacks, even as their available resources may be decreasing.
It’s a daunting task. However, by tactically addressing their security testing capacity, staff skills, and software supply chain risks today, AppSec teams can respond to resource challenges now while fundamentally improving the effectiveness of their AppSec program going forward. Here’s how.
Augment your AppSec team with on-demand resources
Skilled AppSec professionals are difficult to find in the best of times, but office closures and travel restrictions make it even more challenging to staff projects and continue business operations. If your team was understaffed before, they might be completely overwhelmed now, especially in light of the increased need to protect the organization from opportunistic hackers.
To maintain business continuity over the next few months, security teams will need to rethink how they prioritize and staff projects. Managed Application Security Testing services can help by giving you access to remote teams of application security testing experts when you need them.
Our Managed Security Testing offerings give you extreme flexibility and agility to adjust and optimize your security testing capacity as your needs change:
- Test types: Penetration testing, DAST, SAST, and mobile and network security testing
- Test depths: From basic automated scans to comprehensive manual tests
- Test schedules: Individual ad hoc tests or continuously running work streams
Regardless of how you choose to combine testing types, depths, and schedules, you can be confident that your applications will be tested by trained security experts using the most advanced tools and testing techniques available.
Raise the security IQ of your developers
While augmenting your existing application security staff is an immediate consideration, so too is investing in them, particularly your developers. They are your first line of defense against cyber attacks on the software your teams produce.
Unfortunately, most developers have little, if any, formal training in secure software development. According to research conducted by Forrester, none of the top 40 college computer science programs in the U.S. require even a single class on secure coding or secure application design. The burden of security training falls on security and development teams themselves. But how do you train your staff when you can’t bring them together for classes?
Even if traditional, on-site instructor-led training (ILT) isn’t possible, you have great options for both scheduled and self-directed training that teams can access from any location:
- eLearning. This interactive online security training solution allows team members to consume a wide range of application security courseware on demand and at their own pace. Security teams can create custom curriculums and learner cohorts, track learner progress, and create leader boards. The Synopsys eLearning solution is available as a stand-alone solution, but it’s also integrated into the Code Sight IDE plugin, giving developers instant access to relevant secure coding training as security defects are flagged in their code.
- Virtual ILT. You can still bring your staff together for specific training via online classes developed and taught by certified professionals with hands-on experience working directly with clients on their security challenges. While some courses are designed to be delivered on-site, many courses are available for online delivery as well.
Know what’s in your code
Supplementing testing capacity and boosting the security skills of your team will help you manage staffing challenges. But what about the vulnerability of your applications themselves? What can you do to prepare for a potential increase in cyber attacks?
Perimeter defense mechanisms, such as web application firewalls (WAFs), can be part of the solution. But for many organizations that deliver online services, the web and mobile applications they build are the perimeter. Most of these applications are built on a foundation of open source, which can constitute as much as 90% of the code. And as shown by vulnerabilities such as Heartbleed, as well as the Equifax breach, hackers target open source vulnerabilities. If you don’t already know what open source is in your code, you’re leaving sensitive data and systems exposed.
Ultimately, you should be integrating and automating open source risk management throughout the SDLC with a software composition analysis (SCA) solution such as Black Duck. But consider these steps you can take to quickly assess your vulnerability to attacks against open source security flaws in the software you build and the applications, libraries, and containers you obtain from third parties:
- Open source vulnerability scans using a binary analysis solution such as Black Duck Binary Analysis analyze application binaries (executables, libraries, etc.) to create a software bill of materials (BOM) of open source components in use and identify those that are vulnerable. With Black Duck, you can also identify other forms of security and data leakage risks based on how the code was compiled.
- Open source audits, such as those offered by Black Duck Audit Services, are security, quality, and compliance assessments of an application or codebase performed by a remote team of experts. The Black Duck Audit Services team supports rapid turnaround for high-priority projects where thorough analysis and comprehensive results are critical.
Out of adversity comes opportunity
We don’t know what the new “normal” work environment will look like when offices reopen and staff return. But in the meantime, AppSec teams can learn from current working situations, focus their efforts, and make changes to maintain application security during today’s adverse conditions and improve their ability to build secure, high-quality software going forward.
Our mission and commitment in the Synopsys Software Integrity Group is to help you do that.
