Application security programs are vital to ensuring that every organization reduces the risk associated with their applications and provides secure software to consumers. A good application security (AppSec) program involves implementing various security testing tools and processes, including SAST, DAST, SCA, and Secret scanning. However, without proper engagement and collaboration from the core engineering team, several AppSec programs have seen their efforts go to waste.
Before building rapport with the engineering teams, it is essential to understand the scope of the security team’s proposed AppSec program. This involves measuring the current level of engineering maturity within the team and measuring the ratio and availability of engineers to security engineers, which will dictate the effort needed from both sides and the speed with which the teams will remediate vulnerabilities. What’s important to note here is that for both teams to work in liaison with each other, it is critical to encourage open communication and collaboration between them. This can be done through regular meetings, joint training sessions, and sharing best practices with each other’s team. It is not enough to encourage collaboration and watch as the vulnerabilities get fixed, as there is always a cost factor involved with any vulnerability that has made it into the code past the development phase. And this proves costly to identify and fix later on. Hence, involvement of the AppSec teams early on in the development process through various activities such as threat modeling, design reviews, communication of secure coding, and secure design practices to the squad would go a long way in ensuring that we reduce the possibility (reduce, not completely nullify) of security vulnerabilities creeping up in code somewhere in the QA/Testing/VAPT phase. Besides this, it would also help both teams stick to their roles if we provided clear guidelines and expectations, including what each team is responsible for and how they should work together. This can help avoid misunderstandings and ensure everyone is aligned on goals and objectives. Sometimes, issues arise due to differences in opinions or misalignment related to remedying vulnerabilities. Establishing a process for resolving security vulnerabilities during development or testing helps ensure that these vulnerabilities are addressed promptly and that there is clear accountability for remediation from whichever team is responsible. It does no good for each team to point fingers at the other due to a lack of understanding of the remediation process and clear roles & responsibilities.
As with every team in any organization, cultivating a culture of knowledge sharing between the engineering and AppSec teams can greatly help team bonding and reduce friction. This can be done through cross-training, sharing of documentation, and collaboration on projects. This can benefit both teams by better understanding each other’s roles and responsibilities and fostering a sense of shared ownership for the application’s security. Some tried and tested ways include security engineers spending 2-4 hours per week sitting with developers as they develop, test, and raise PR for feature requests or bug fixes to understand the flow. Likewise, it would
significantly sensitize developers if they spend similar time with AppSec teams when security engineers run scans, identify vulnerabilities, and raise them with the engineering squads. Besides knowledge sharing, building a feedback loop and focusing on continuous improvement from both teams on the AppSec program and processes will help bring positive results and lead the AppSec program to success. Gathering this feedback from the developers is essential, as they interact with the program directly. Appsec teams can utilize this feedback to continuously improve the AppSec program and ensure that it remains practical and relevant to the needs of the engineering squad. An example is when the development team requests help on how to fix a particular vulnerability. It would fasten the process if the security team provided some tips/pointers on how to fix the class of vulnerabilities when reporting the vulnerability itself, thus helping the engineering squad understand the risk associated with the vulnerability and how to address it effectively. Burnout is common for every engineering and AppSec team. Therefore it is important to celebrate successes, no matter how small. This helps both teams stay motivated, work towards the long-term goal of reducing risk/vulnerabilities, and create a positive culture of collaboration and shared responsibility.
Once the AppSec program has matured, introducing automation is another way of speeding up the process. Use automation to streamline security testing and integrate it into the development process. This can help reduce the workload on the engineering and AppSec teams and ensure that security testing is consistently applied. Ensure that before any gating is done, it is tested thoroughly by allowing builds to pass, despite vulnerabilities being present. Once the false positive ratios are manageable, and the engineering leaders are informed of the respective gating, only then can gating contribute to the security posture of any team.
Starting with a solid security framework, integrating security testing into the development process, prioritizing risk-based vulnerabilities, and leveraging automation to streamline testing and remediation is a battle-tested way of ensuring the highest probability of success for your AppSec program. As is with every plan, there is no one size fits all approach. There will be plenty of learning opportunities along the way, but what separates an excellent AppSec team from the rest is the ability to apply the new learnings dynamically on the go and modify the process/program in itself to the benefit of both the parties involved and in turn, the organization.
Riyaz Rafi Ahmed
Security Software Engineer – DevSecOps @ Chargebee