Scaling application security takes some hard work – but it can also present just as big an opportunity. Once a company gets it right, a strong AppSec program can drive the security vision of the organization. But like any group, an AppSec team takes time to mature and it’s often only then that the team starts to get a sense of the essentials.
When building an AppSec program, the security team needs to dig into the organization’s application architectures and business priorities to better understand the portfolio. This will help the team improve prioritization based on risk profiles and start to determine where there are potential gaps that need to catch up with industry standards. It also helps build credibility with the product team when the security team takes the time to understand their product or service, as opposed to just throwing tools over the wall with no explanation.
These initial steps will get an AppSec team off the ground, but what comes next? Adobe’s security team has navigated many challenges and opportunities in scaling our AppSec program over the last several years – and we’ve learned a few fundamentals along the way:
- Adapt quickly.
Foster a team culture that drives continuous learning and experimentation – and thus, innovation. AppSec teams need to stay ahead of the curve on the changing landscape of technology, arguably more than any other security team. We’ve seen a major shift in the way we interact with applications and services over the past decade and that will only continue with technologies like edge computing.
Adobe’s AppSec team was initially skilled in desktop security topics – but, we had to evolve our skillset alongside the company’s expanded portfolio in cloud and mobile platforms. For some team members, this meant learning new technologies and skills; we also made new hires who had more specialization in web and cloud technology. We grew alongside the rest of the company, making mistakes along the way, but ultimately became a more mature and knowledgeable cloud and web-focused team.
- Use penetration tests, threat modeling and tool-based scans.
Security teams often solve security issues in a reactive manner – largely driven by broader security vulnerabilities that affect many companies at once. Minimize the impact of industrywide issues in taking a more proactive approach that employs penetration tests, threat modeling and tool-based scans. It’s also vital to build a robust Product Security Incident Response Team (PSIRT), or vulnerability response program, so third-party security researchers can easily report issues with the company’s products and services.
In probing an application in its entirety and starting the security review process as early as possible, the team mitigates future issues, improves the security posture of the entire company and encourages strategic recommendations for changes and opportunities for more security.
- Maximize automation.
Automation friendliness decreases as the company moves left in the software development life cycle (SDLC). As such, the team should adopt an “improve the left by learning from the right” mentality and shift human focus to the left (earlier in the cycle). The “shift-left” recommendation means baking-in security controls as early as possible. By implementing automation in the life cycle process, AppSec researchers can leverage it while working with manually-driven reviews, defining or enforcing security configurations and access control into production deployments.
Automation helps balance out AppSec operation by focusing on various stages of the SDLC, further adding to security review coverage and depth. Early course correction that’s programmed properly and to the company’s needs builds more efficient workflows that identify potential risks for the organization and reduces errors – especially as companies try to stay ahead of evolving threats during the pandemic.
- Communicate and collaborate with engineering teams.
AppSec teams must effectively communicate priorities and goals with engineering. Work towards being an extended part of those teams – and not an external team that casts its security judgment on the service under development. Stay in close contact throughout the development cycle – plans change, and security questions may come up that could fall through the cracks if the team doesn’t check in regularly.
- Don’t forget about other security stakeholders.
The AppSec team will work most closely with engineering and product development teams, but don’t forget to engage other relevant stakeholders, including compliance, operations, privacy and legal. It’s critical to have collaboration and information sharing among these groups to help ensure industry and compliance best practices are baked into your security stack at the start. Finally, streamline the security review process for the product teams – who are, after all, the AppSec team’s internal customers.
While every AppSec team grows and evolves in its own way, we hope these essential best practices will help companies establish effective and innovative AppSec teams that deliver value to their organizations and customers.
David Lenoe, director, secure software engineering, Adobe