CIO opinion
“
THE BOTTOM LINE
IS APPLICATION
SECURITY
SUCCESS IS
ABOUT MORE
THAN FINDING
SECURITY FLAWS;
IT’S ABOUT
FIXING THEM.
Modern tools need to take this into
account and tune both for maximum
coverage, making sure all critical security
issues are found. It should also check for
low noise so developers aren’t troubled
with lots of false positives and eventually
end up removing testing from their
workflows. The entire goal of shifting left
and bringing application security closer
to the developer is to automate the
process, making it quicker with minimal
disruption to the development team. If
you automate testing with lots of false
positives, you’ll be unnecessarily stopping
the development delivery process.
Security Champions also help to reduce
culture conflict between development
and security by amplifying the security
message on a peer-to-peer level. They
don’t need to be experts, more like the
‘security consciousness’ of the group.
The CISO is often seen as the one
who’s responsible for making sure a
company is secure. This is outdated and
unrealistic thinking – the CISO can’t
be everywhere. In reality, developers
need to be responsible for building
secure software and the CISO bears
the responsibility to provide the tools,
process and governance.
5. Develop a culture of visibility
Contrary to how many developers
think of application delivery, the
responsibility doesn’t stop once the
product is in production. One of the
major innovations of DevOps is it makes
teams responsible for the product and
dealing with any issues that may come
up during production.
There are several considerations for how
to keep visibility on security incidents in
production with live running applications.
One responsibility is to monitor
applications to understand if they are
under attack to then take corrective
action. This can be done with a variety
of tools and practices, many of which
teams may already be using, but may
require some tuning to isolate attacks.
This could include correlating product
logs into security intelligence, or writing
special rules when certain conditions
happen, so that unusual or suspicious
activity can be monitored.
Another responsibility teams have is
to understand what the entire attack
perimeter of their organisation is and
to ensure applications have been
subjected to the right degree of security
rigour. The organisation as a whole
needs to know what’s out there to
understand which of the applications
may put the enterprise at risk and
be prepared to act quickly if a highly
vulnerable application poses a risk to
the enterprise.
The bottom line is application security
success is about more than finding
security flaws; it’s about fixing them.
In the DevOps era, security and
development have to work together
to ensure that flaws are identified,
prioritised and fixed. If developers are
provided modern tools to accomplish
their goals on schedule while also
producing secure code, they will make
progress on reducing security debt in
their software. n
By adopting a solution that has a lower
false positive rate, businesses can get the
benefit of application security testing
without unnecessarily disrupting the
developer workflow.
4. Create security champions
Having a Security Champion on every
development team will guarantee
security knowledge is part of every
decision when building software. The
Security Champion is a member of the
development team that has been trained
by and works in close contract with the
security team and acts as an adviser and
expert who can intervene when design
or implementation problems arise in the
development process. The individual
in this role can help reduce complexity
of secure coding among developers by
collaborating on immediate remediation.
48
INTELLIGENTCIO
www.intelligentcio.com