As you’re planning and operationalizing upgrades to your web app security posture, here’s one of the top things not to do: don’t foist AppSec off on developers or try to make them drive it.
Sebastien Deleersnyder, co-founder/CTO at Toreon and a recent guest on The Virtual CISO Podcast, emphasizes that the target audience for implementation guidance such as OWASP’s Software Assurance Maturity Model (SAMM) is not developers or other DevOps team members, but the leaders/champions (e.g., a vCISO) responsible for the AppSec program’s success.
A proven assessment path
Sebastien advises: “The worst way that you could so an assessment is send the spreadsheets towards your development teams and say, ‘Hey, can you do this self-assessment?’ That’s not really going to work.”
In Sebastien’s view, a better plan is to conduct workshops and interviews, to build an in-depth understanding of your software development lifecycle (SDLC). Out of that process, you can recognize “quick wins” that will enable you to make significant, measurable progress in line with business goals.
Challenges with setting targets
Another key input from Sebastien level-sets the process of setting goals and targets for AppSec performance.
“Setting targets is actually the hardest part of a SAMM implementation project because you need to align what’s really necessary for the applications: the software in scope, the risk profile, and the business owners’ and stakeholders’ risk appetite,” describes Sebastien. “But also speed of development. How fast can we do this? Is there an understanding of the need to do this? And what resources does the organization actually have?”
Choosing a pilot project
Another key step is identifying an upcoming software release that could serve as a pilot project.
Sebastien explains: “That’s going to be based on aspects like what’s a good pilot team to start off with? What can we learn from that? How can we then take that as lessons learned for pushing this through the rest of the organization?”
More key steps
When you’re first starting out with AppSec, buy-in across your org may still be at a low point. That makes education and guidance especially important.
“You need to make sure that whoever is involved in your coding processes understands the [cyber] risks from the software and the need to get proper training,” notes Sebastien. “That’s a foundational part of every implementation.”
It’s also key to leverage application security champions to embed a security culture within your Dev teams, and to support teams to be accountable for AppSec as part of their job.
Finally, AppSec testing needs to be driven mainly by the application requirements.
“If you have requirements under control, testing will go better as well,” Sebastien comments.
The importance of threat assessment
Sebastien identifies application risk profiles and threat modeling as “a flipping point” between lower and higher AppSec maturity.
“Threat modeling might seem like an activity that takes some time and might slow things down,” Sebastien relates. “But it actually helps a lot of organizations to speed up their secure development processes because you are ingraining security as part of a decision process of what to do or what not to do in terms of security and aligning a team on that. And it’ll allow for faster deployment later, too.”
Sebastien recommends the four-question Stride threat categorization tool as a starting point for threat modeling. But he also acknowledges that “the most important thing is the process itself, and learning from that process as a team.”
Ready to hear this podcast episode with Sebastien Deleersnyder? Click here.
And here’s that OWASP SAMM-BSIMM-NIST SSDF comparison post you’ve been looking for: How Does the NIST Secure Software Development Framework (SSDF) Compare with OWASP SAMM, BSIMM, etc.?