How to cyber security: Invisible application security

By : By: Jonathan Knudsen, Senior Security Strategist, Synopsys Software Integrity Group | Wednesday, September 01 2021 - 01:35 IWST

Application security
Application security

INDUSTRY.co.id - I really love the keyless entry system on my car. The “key” is not a key in the traditional sense; all I have to do is put it in my pocket and forget about it. When I reach for the car door handle, it simply unlocks. When I leave the car, I wave my hand over the handle to lock the car.

This is nice because I don’t ever have to take the key out of my pocket, which lowers the risk that I will accidentally leave it somewhere or lock it inside the car.

But better yet, I don’t have to think about it. The car is locked until I need it to be unlocked.

Set-and-forget

This is a variation on set-and-forget, one of my favourite principles. If I’m going to spend time and money to fix a problem, I would like it to stay fixed.

For example, I have rain gutters at the edges of my roof to catch runoff. Unfortunately, these gutters also fill up with pine needles from nearby trees. I can solve this problem by clearing out the pine needles and other debris, but I’d have to do this at least once a year.

Instead, I can install a system that allows water into the gutters but not pine needles or leaves, which means I never worry about my rain gutters again.

Give your developers a clear runway

Software developers also want things that just work — they want problems to stay fixed. They like clear definitions and cleanly delineated responsibilities.

From this standpoint, the first generation of application security was a special kind of hell. Application security testing was performed very late in the software development life cycle (SDLC), typically just before release, when the development team thought they were done.

Security testing usually produces a very long list of findings, which might or might not be real problems, and which might or might not make sense to the development team. They thought they were finished, so they were frustrated by having a big pile of findings thrust upon them without necessarily understanding the implications.

In this first generation of application security, security teams were also frustrated. They worked hard to run security tools and were usually swamped with testing demands from all the development teams in an organisation.

Furthermore, many development teams, under time pressure to release products, might minimise or ignore the issues reported by security teams.

Invisible AppSec

In the second generation of application security, development teams could automate and integrate application security testing into the development process, creating a much smoother experience. Security teams, instead of scrambling to preform security testing for teams that don’t always appreciate their efforts, work as advisors and mentors to development teams.

In this second generation, developer workflows are minimally disrupted. When application security is automated into existing build and package processes, developers don’t have to think about it. And when application security results are integrated into existing issue-tracking systems, developers can work through security issues just like any other functional issues. Application security is a crucial part of the development process, but it fades into invisibility in a very positive way.

The coming Nirvana

A new generation of application security is happening now. If you have successfully transitioned to the second generation of AppSec, you have some new challenges to wrestle:

Different security tools produce different kinds of results in different formats. You need a way to combine, deduplicate, and homogenise results.

Application security is about managing risk. You need a way to triage and prioritise all your findings, so you can spend your time and money fixing the most dangerous findings first.

As you automate more security tools into your development process, you’ll realise that you probably don’t need to run every tool on every developer commit. You need an intelligent approach to orchestration so that you are running the right tests at the right time, making the most of your available resources.

News Comment

Today's Industry

President Jokowi inspects vaccination for students at State Vocational High School SMKN 1 Beringin, Deli Serdang regency, Thursday (16/9). (Photo by: Presidential Secretariat/Laily Rachev)

Senin, 20 September 2021 - 13:05 WIB

President Jokowi Lauds Students’ Enthusiasm for In-Person Learning

President Joko “Jokowi” Widodo inspected COVID-19 vaccination for students at Vocational High School SMKN 1 Beringin, Deli Serdang regency, North Sumatra, Thursday (16/9).

Vice President Ma’ruf Amin (Photo: BPMI)

Senin, 20 September 2021 - 12:15 WIB

VP Calls for Public Collaboration to Combat Drugs Abuse

Vice President Ma’ruf Amin has urged the nation to join hands and participate in a joint effort to eradicate drug abuse.

President Jokowi on his inspection of door-to-door vaccination at Panampaan village, Harjamukti district, Cirebon city, Tuesday (31/08). (Photo by: BPMI/Muchlis Jr)

Senin, 20 September 2021 - 11:08 WIB

President Jokowi in Aceh to Inspect Door-to-Door COVID-19 Vaccination

President Joko “Jokowi” Widodo started his working visit in the provinces of Aceh and North Sumatra by inspecting the door-to-door COVID-19 mass-vaccination in Aceh Besar regency.

The Pacific Asia Travel Association (PATA)

Rabu, 15 September 2021 - 19:44 WIB

PATA launches Virtual PATA Wellness and Luxury Travel Conference and Mart 2021 in October

The Pacific Asia Travel Association (PATA) is pleased to announce the launch of the Virtual PATA Wellness and Luxury Travel Conference and Mart 2021, taking place from October 20-22.

[Caption: ADM representatives and government officials at the opening of the new advanced flavor production facility, ADM Food Technology (Pinghu) Co., Ltd.]

Rabu, 15 September 2021 - 18:38 WIB

ADM Further Expands Global Nutrition Capabilities With Advanced Flavor Production Facility in Pinghu, China

ADM (NYSE: ADM) today unveiled the ADM Food Technology (Pinghu) Co., Ltd., a state-of-the-art, fully automated flavor production facility situated in Pinghu, Zhejiang Province, China.