In order for an AppSec team to collaborate effectively with development teams they should think in three phases: Awareness, Enablement, and Enforcement. This month I’ll be dedicating an article to each. The focus of these articles will be on the critically important area of application security, focused on the roles involved in building software: developers (DevOps), testers, and architects.
Awareness training arms your team to understand how important security is and when to raise their hand for security support. Application security awareness can start with a series of talks, but the best awareness is hands on training. Getting the team to find, fix, or discuss vulnerabilities and threat scenarios is critical in giving them the awareness of when to think about security. The goals of this training isn’t to give the team the ability to find or fix vulnerabilities yet, it is to build a sense of impact and risk. A successful awareness program will provide experiences to draw from that will pop into their heads as they build or test. You want them to be able to recognize when to say “Wait, this has security implications. I’d better reach out to the security team!”
Enablement makes security easier for your team through automation and expert knowledge. Your security team needs to build the trust of the rest of the organization and make improvements to their processes by understanding their pain points and then solving them in ways that are easy to accept and adopt. This may mean instrumenting part of the Dev/Sec/Ops pipeline, building out better libraries, frameworks or defaults, building security unit tests, or to enable the testers to perform security testing alongside the rest of their test suite. The most important part of this phase is to help build software, not slow it down. The security team doesn’t exist to enforce its will on the rest of the company, but to enable them to meet their objectives. I call this “falling into a pit of success”. Make doing the secure thing easier than the insecure one.
Enforcement is the backstop to security. This is defense in depth. Traditionally this is where most security programs start, but to be effective security teams need to win hearts and minds far, far earlier. In a mature model most security activities are performed and issues are found before the security team gets their hands on the software. Enforcement exists to double check procedures have been followed and to catch issues that slip through the cracks. This is also often where audit, compliance, regulatory checks can be performed.
Sometimes security teams will feel as if they are the last bastion fighting against the dev team who is ready to deploy insecure software to get features out. However, we are all in the business of building secure software and building trust with our customers. Every person at your company is trying to balance the many facets to quality software as best they can. Understanding how security fits into your overall process and how to build secure software without slowing development and deployment down is critical to the success of any company. A cooperative model will always be more effective than an adversarial one.