Invisible Application Security is the concept of integrating and automating AppSec testing with little disruption to developer workflows.
I really like my car’s keyless entry system. The “key” is not a key in the traditional sense of the term; all i have to do is put it in my pocket and forget about it. When I grab the handle of the car door, it just unlocks. When I get out of the car, I run my hand over the handle to lock the car.
This is good because I never have to take the key out of my pocket, reducing the risk of accidentally leaving it somewhere or locking it inside the car.
But best of all, I don’t have to think about it. The car is locked until I need to unlock it.
Define and forget
This is a variation on set-and-forget, one of my favorite tenets. If I have to spend the time and money to fix a problem, I wish it stayed that way.
For example, I have gutters on the edges of my roof to catch runoff. Unfortunately, these gutters also fill with pine needles from nearby trees. I can fix this by removing pine needles and other debris, but I should do this at least once a year.
Instead, I can install a system that allows water to enter the gutters, but not the needles or pine leaves, which means I never worry about my gutters again.
Give your developers a clear lead
Software developers also want things that work, they want problems to stay solved. They like clear definitions and clearly delineated responsibilities.
From this point of view, the first generation of application security was a particular hell. Application security testing was performed very late in the Software Development Lifecycle (SDLC), typically just before release, when the development team thought it was done.
Security testing typically produces a very long list of results, which may or may not be real issues, and which may or may not make sense to the development team. They thought they were done, so they were frustrated at having a big pile of findings imposed on them without necessarily understanding the implications.
In this first generation of application security, security teams were also frustrated. They worked hard to run security tools and were usually overwhelmed with testing requests from all of an organization’s development teams. Additionally, many development teams, pressed for time to release products, may minimize or ignore issues reported by security teams.
In the second generation of application security, development teams could automate and integrate application security testing into the development process, creating a much smoother experience. Security teams, instead of scrambling to perform security testing for teams that don’t always appreciate their efforts, work as advisors and mentors to development teams.
In this second generation, developers’ workflows are very little disrupted. When application security is automated in existing build and package processes, developers don’t have to think about it. And when application security outcomes are integrated with existing issue tracking systems, developers can solve security issues like any other functional issue. Application security is a crucial part of the development process, but it becomes invisible in a very positive way.
Nirvana to come
A new generation of application security is happening. If you have successfully made the transition to the second generation of AppSec, you have new challenges to overcome:
- Different security tools produce different types of results in different formats. You need a way to combine, deduplicate, and homogenize results.
- Application security is about risk management. You need a way to sort and prioritize all of your findings, so that you can spend your time and money on correcting the most dangerous findings first.
- As you automate more security tools in your development process, you’ll find that you probably don’t need to run all the tools on every developer commit. You need a smart approach to orchestration in order to run the right tests at the right time, making the most of your available resources.
Another important benefit of an orchestration and aggregation system for security tools is that as new security tools are adopted, they become easier to automate.
The next generation of application security is dawning. You can be part of it with Code Dx and Intelligent Orchestration.