Making security easy for developers, in their preferred tools, while still generating reports for the CISO is a challenge many organizations face today, when the reality is that late-stage security approaches can’t plug vulnerabilities deep within applications.
Yet putting the onus squarely on developers is a gamble, as many aren’t knowledgeable about certain kinds of vulnerabilities, or where they might lie, such as in an open-source component or in an API.
So organizations are meeting the challenge of application security by creating development ‘squads,’ made up of developers, testers, security personnel and the product team, to prevent vulnerabilities from making their way into an application.
To create the squad, Simon King, vice president of solutions for the Synopsys Integrity Group, strongly recommends hiring a couple of security experts who have already done that in the past, “because trying to figure it out from scratch will just take you too long and you’ll miss just very basic things.” After the experts are on board, he said to complement the team with people from the product teams who know much better where weaknesses may lie.
Then, he recommends, set up e-learning to train back into the organization and eventually push security personnel out into the product teams, from where security champions will emerge.
Four levels of security
King explained there are four levels of security that many organizations go through: security as a cost center, as compliance, as technology, and ultimately as a business enabler. From the cost center perspective, he said, organizations are concerned with what tools to buy that “tick the box” for a particular security concern. Security as compliance refers to defining policies that a central team tries to enforce. As technology, organizations look to build these solutions into their pipeline to get the tools leveraged by developers.
King said they then drive a cultural change that moves security teams from acting like police to actually embedding them with the development teams “so they think about things right up front, as ‘what could we do’ instead of ‘what do we have to do now that we’ve already written the code and tested it?’ ” Lastly, only a few of the most mature companies on the planet are at the point where they see security as a business enabler. That, he said, is a pretty fundamental shift “that then enables the kind of thinking that says now that the data is data super-secure, what could we do with it that we couldn’t contemplate doing before because we didn’t trust how who has access to the data, for example.”
In this kind of environment, developers should take on as much testing as they can from the moment an object exists, King explained. From the time a developer reaches into a public repository to pull some JavaScript for an open-source project, he said, you want to ensure it’s the correct version, that there are no known vulnerabilities associated with it, and if licenses comply with corporate policies, because you don’t want to find that out late in the development life cycle. So static analysis and open-source analysis for software composition should be done early on. Then, as the software goes through the pipeline, dynamic testing on APIs that connect applications and services into system architecture will have to be done later in the process, by the very nature of it.
“And then maybe middle of the way down the path you’re going to start looking at the containers you’re running in,” King said. “What’s in that template, all of the different layers from the application down to the container itself, and then ultimately some vulnerabilities only manifest in pretty complex deployment architectures, and so you’re going to do pen test and things like that fairly late stage.”
What Synopsys offers
To help organizations, Synopsys brings together managed software services, professional services and tooling. The company does BSIMM-based interviews to see evolving industry security practices, and turns that around to offer benchmarking, assessment and mapping processes. “These are action plans to say, how do you get from where you are to where you want to be,” King explained.
The professional services team supports implementation and adoption of the tools at scale. King was most excited about the tooling, which covers the spectrum from static security testing to open-source vulnerability analysis to pen testing — creating a holistic application security environment.
Synopsys has research labs working on the company’s multi-petabyte knowledge bases and the tests they write to check for vulnerabilities, while the professional services teams provide the company with deep insight into their customers because they work so closely with their customer-facing teams. King said, “We bring that expertise, that customer intimacy, that’s otherwise hard to attain.”
Content provided by SD Times and Synopsys