How to cyber security: Invisible application security

By : By: Jonathan Knudsen, Senior Security Strategist, Synopsys Software Integrity Group | Wednesday, September 01 2021 - 01:35 IWST

Application security
Application security

INDUSTRY.co.id - I really love the keyless entry system on my car. The “key” is not a key in the traditional sense; all I have to do is put it in my pocket and forget about it. When I reach for the car door handle, it simply unlocks. When I leave the car, I wave my hand over the handle to lock the car.

This is nice because I don’t ever have to take the key out of my pocket, which lowers the risk that I will accidentally leave it somewhere or lock it inside the car.

But better yet, I don’t have to think about it. The car is locked until I need it to be unlocked.

Set-and-forget

This is a variation on set-and-forget, one of my favourite principles. If I’m going to spend time and money to fix a problem, I would like it to stay fixed.

For example, I have rain gutters at the edges of my roof to catch runoff. Unfortunately, these gutters also fill up with pine needles from nearby trees. I can solve this problem by clearing out the pine needles and other debris, but I’d have to do this at least once a year.

Instead, I can install a system that allows water into the gutters but not pine needles or leaves, which means I never worry about my rain gutters again.

Give your developers a clear runway

Software developers also want things that just work — they want problems to stay fixed. They like clear definitions and cleanly delineated responsibilities.

From this standpoint, the first generation of application security was a special kind of hell. Application security testing was performed very late in the software development life cycle (SDLC), typically just before release, when the development team thought they were done.

Security testing usually produces a very long list of findings, which might or might not be real problems, and which might or might not make sense to the development team. They thought they were finished, so they were frustrated by having a big pile of findings thrust upon them without necessarily understanding the implications.

In this first generation of application security, security teams were also frustrated. They worked hard to run security tools and were usually swamped with testing demands from all the development teams in an organisation.

Furthermore, many development teams, under time pressure to release products, might minimise or ignore the issues reported by security teams.

Invisible AppSec

In the second generation of application security, development teams could automate and integrate application security testing into the development process, creating a much smoother experience. Security teams, instead of scrambling to preform security testing for teams that don’t always appreciate their efforts, work as advisors and mentors to development teams.

In this second generation, developer workflows are minimally disrupted. When application security is automated into existing build and package processes, developers don’t have to think about it. And when application security results are integrated into existing issue-tracking systems, developers can work through security issues just like any other functional issues. Application security is a crucial part of the development process, but it fades into invisibility in a very positive way.

The coming Nirvana

A new generation of application security is happening now. If you have successfully transitioned to the second generation of AppSec, you have some new challenges to wrestle:

Different security tools produce different kinds of results in different formats. You need a way to combine, deduplicate, and homogenise results.

Application security is about managing risk. You need a way to triage and prioritise all your findings, so you can spend your time and money fixing the most dangerous findings first.

As you automate more security tools into your development process, you’ll realise that you probably don’t need to run every tool on every developer commit. You need an intelligent approach to orchestration so that you are running the right tests at the right time, making the most of your available resources.

News Comment

Today's Industry

Collaboration and innovation is a common thread of various Business Twenty (B20) forums as an important part of G20 activities in 2022. (Foto: Liputan6.com)

Selasa, 21 Juni 2022 - 17:53 WIB

Inter Sectors Collaboration in Strengthening SMEs, Key for Post-Pandemic Recovery Acceleration

Indonesia owns an important role to support the world’s policy that prioritize various parties collaborations as the key to realize an inclusive world economy, included Small Middle Enterprises…

Collaboration and innovation is a common thread of various Business Twenty (B20) forums as an important part of G20 activities in 2022. (Foto: Liputan6.com)

Senin, 06 Juni 2022 - 21:35 WIB

Collaboration and Innovation, Key to support Inclusive Economy Growth

Collaboration and innovation is a common thread of various Business Twenty (B20) forums. This is an important part of G20 activities in 2022. That matters are also going to become a main key…

NORD-DuoDrive.jpg: The innovative and patented DuoDrive geared motor reaches outstanding system efficiency Image: NORD DRIVESYSTEMS

Selasa, 17 Mei 2022 - 14:00 WIB

NORD DRIVESYSTEMS at LogiMAT in Stuttgart From 31st May to 2nd June 2022 NORD will present innovative drive solutions for intralogistics

The specialist LogiMAT exhibition in Stuttgart offers as comprehensive overview of the intralogistics and process management market. As one of the market leaders for drive technology, NORD presents…

President Jokowi attends the meeting between ASEAN leaders and American entrepreneurs at Intercontinental the Willard Hotel, Washington DC, Thursday (05/12). Photo by: Laily Rachev

Selasa, 17 Mei 2022 - 13:00 WIB

President Jokowi Invites US CEOs to Boost Cooperation with Indonesia

President Joko “Jokowi” Widodo has invited company CEOs in the United States to boost cooperation with ASEAN countries, particularly Indonesia.

President Jokowi, President Biden, and ASEAN Leaders on a group photo prior to the dinner, at the White House, Washington D.C., Thursday (05/12)

Selasa, 17 Mei 2022 - 12:28 WIB

President Jokowi, ASEAN Leaders Attend Dinner Hosted by US President

President Joko “Jokowi” Widodo Thursday (05/12) attended a dinner with the leaders of ASEAN countries hosted by President of the United States Joe Biden at the White House, Washington D.C.