The program should start small with a very specific list of items to tackle. Mastering them will drive you towards success. Concentrating on a few simple security bugs, prioritizing them by business importance, can make a big impact in your Security posture by quickly improving your weakest areas.
As the founder of modern management Peter Druker said “If you can’t measure it, you can’t manage it”. During this exercise, everything has to be measured: all defects found must be tracked and logs must be collected. This information has to be visibilized, so anyone can take action.
Application Security is team-based work, so you will need help from developers and Security peers and, in order to get that assistance from them, you will need to construct a relationship of trust.
The foundation to start a good Application Security program relies on three main components:
Large applications have a huge amount of code to be reviewed, so the first thing to do for this task is to define where good coverage is needed. This, in fact, requires defining the features that are most critical from a security standpoint which need inspection prior to be deployed. Some aspects to consider here are user input and output validation, appropriate usage of authentication, authorization, and encryption, etc. Static Analysis, SAST, is an exceptional tool to have but it is far from perfect. Although it automates many mundane tasks, it does not replace but rather supplements humans, and a good code review program is still needed.
Secure Code Training
This process should start from leveraging vulnerabilities found in the company’s code, using code reviews to drive training. All developers should receive language specific education and awareness in Secure Coding at least annually, being provided with good examples and best practices.
This stage should be led by developers with the Security team’s assistance. All the new meaningful features should receive an in-depth design review. The risks identified will need outlined mitigations and both the results and decisions have to be documented.
As this process evolves, it can be tweaked to target specific weaknesses, best practices can be reinforced with automation, the use of secure frameworks and services can be proposed and even non-security issues that might be affecting your organization can be found. Additionally, you can start incorporating complements such as Dynamic Analysis (DAST), Runtime Application Self-Protection (RASP), Web Application Firewalls, and Penetration Testing.