Much has been made about the need for security teams to help application developers produce more secure code, and that is certainly important. But organizations can’t adequately defend themselves against increasingly sophisticated cybersecurity threats unless they pay attention to the human element.
“Writing good quality code is not enough to improve the security of your applications,” Immersive Labs Senior Security Engineer Mat Rollings wrote in a recent blog post. “It is essential to foster and maintain a security-first mindset and environment. This will minimize the number of vulnerabilities in your code and ultimately reduce the risk of an extremely costly data breach within your organization. You can achieve this in a number of ways, but the human element is absolutely critical.”
To keep the focus on that human aspect, Rollings came up with eight suggestions to help individual application security practitioners up their game:
- Simplify: Less code means fewer bugs. Write clean reusable code to reduce the size of your code base and decrease the attack surface of your application. Doing so will also improve maintainability and make code reviews easier.
- Shift-left: The sooner in the Software Development Lifecycle (SDLC) a vulnerability can be caught, the cheaper it will be in time, money and effort to resolve. Embedding security into the design process can ensure that vulnerabilities are minimized during development.
- Develop, learn & stay up to date: Attackers are constantly evolving their skills and so should you. Keeping your finger on the pulse to stay up to date with the latest threat intelligence and vulnerability lists will help shorten the time needed to tackle your next security risk. It’s crucial to learn new things, try out the latest tools, and keep up with security and programming best practices.
- Communicate effectively: Clear and open communication is essential for a healthy team and organization, and it is just as important for security for a few reasons. Ensuring everyone is on the same page can help to avoid misunderstandings and miscommunication. It can also help to identify potential security risks before they have a chance to cause serious damage. Fostering an environment of open communication can help to build trust between security team members and other stakeholders. At a minimum, you should have a contact available for raising security issues. One way of doing this is creating a security.txt file. Also consider running a bug bounty program to incentivize security researchers to find and disclose vulnerabilities.
- Develop a security mindset: Be paranoid. Think like an attacker. Increase your preparedness by planning for the worst and running through what-if scenarios and playing out how you would respond. It is important to have and be good at critical code reviews.
- Become a security champion: It’s important that everyone inside an organization is aware that security is one of their responsibilities. Find ways to make the awareness process engaging. Championing security and secure coding practices within your team and organization doesn’t have to be all or nothing. Start with something small such as security linter plugins and nurture that cultural shift towards things like security-focused workshops until secure code feels like second nature.
- Automate the boring repetitive stuff: You don’t have time to test for every vulnerability and you can’t do it faster and more reliably than a computer. Invest in CI/CD, automated testing and integrate tools such as SAST, DAST, and SCA scanners. This will multiply your effectiveness and free up time to focus on the human side of AppSec, improving you and your team’s knowledge and preparedness.
- Learn from your mistakes: Don’t beat yourself up when you make mistakes or find vulnerabilities in your code. A good developer learns from their mistakes, a great developer also learns from the mistakes of others. Be aware that when finding and resolving a vulnerability, it and slight variations of it may exist in multiple places across the organization.