Here are three ways application security teams can respond to staffing challenges and increased security risks today while strengthening their AppSec program for the future.
Organizations right now are facing the prospect of months of staffing and business continuity challenges. At the same time, cyber attacks by opportunistic hackers and cyber crime groups looking to profit or further disrupt society are increasing. Application security teams have to ensure the software they build and operate is secure against these increasing attacks, even as their available resources may be decreasing.
It’s a daunting task. However, by tactically addressing their security testing capacity, staff skills, and software supply chain risks today, AppSec teams can respond to resource challenges now while fundamentally improving the effectiveness of their AppSec program going forward. Here’s how.
Skilled AppSec professionals are difficult to find in the best of times, but office closures and travel restrictions make it even more challenging to staff projects and continue business operations. If your team was understaffed before, they might be completely overwhelmed now, especially in light of the increased need to protect the organization from opportunistic hackers.
To maintain business continuity over the next few months, security teams will need to rethink how they prioritize and staff projects. Managed Application Security Testing services can help by giving you access to remote teams of application security testing experts when you need them.
Our Managed Security Testing offerings give you extreme flexibility and agility to adjust and optimize your security testing capacity as your needs change:
Regardless of how you choose to combine testing types, depths, and schedules, you can be confident that your applications will be tested by trained security experts using the most advanced tools and testing techniques available.
While augmenting your existing application security staff is an immediate consideration, so too is investing in them, particularly your developers. They are your first line of defense against cyber attacks on the software your teams produce.
Unfortunately, most developers have little, if any, formal training in secure software development. According to research conducted by Forrester, none of the top 40 college computer science programs in the U.S. require even a single class on secure coding or secure application design. The burden of security training falls on security and development teams themselves. But how do you train your staff when you can’t bring them together for classes?
Even if traditional, on-site instructor-led training (ILT) isn’t possible, you have great options for both scheduled and self-directed training that teams can access from any location:
Supplementing testing capacity and boosting the security skills of your team will help you manage staffing challenges. But what about the vulnerability of your applications themselves? What can you do to prepare for a potential increase in cyber attacks?
Perimeter defense mechanisms, such as web application firewalls (WAFs), can be part of the solution. But for many organizations that deliver online services, the web and mobile applications they build are the perimeter. Most of these applications are built on a foundation of open source, which can constitute as much as 90% of the code. And as shown by vulnerabilities such as Heartbleed, as well as the Equifax breach, hackers target open source vulnerabilities. If you don’t already know what open source is in your code, you’re leaving sensitive data and systems exposed.
Ultimately, you should be integrating and automating open source risk management throughout the SDLC with a software composition analysis (SCA) solution such as Black Duck. But consider these steps you can take to quickly assess your vulnerability to attacks against open source security flaws in the software you build and the applications, libraries, and containers you obtain from third parties:
We don’t know what the new “normal” work environment will look like when offices reopen and staff return. But in the meantime, AppSec teams can learn from current working situations, focus their efforts, and make changes to maintain application security during today’s adverse conditions and improve their ability to build secure, high-quality software going forward.
Our mission and commitment in the Synopsys Software Integrity Group is to help you do that.