Yes, You Can Manage AppSec at Scale — Here's How

By Taylor Armerding, Security Advocate, Synopsys Software Integrity Group 

A major advance in any industry usually requires figuring out how to do what was previously considered impossible. Welcome to the software industry's version of that: managing application security (AppSec) risk at enterprise scale — and at unprecedented speed.

That doesn't mean it's suddenly easy. It has always been challenging to build security into the software development life cycle (SDLC), and the scale of today's enterprise development — hundreds of developers on multiple teams in dozens of business units working on thousands of applications — amplifies these challenges.

One of these challenges is the expansion of the attack surface, which is not due only to how much more software is being created. Digitalization, cloud adoption, the Internet of Things, mobile applications, and the rise of artificial intelligence all mean that developers are drawing from an increasingly complex software supply chain. More code from more sources means more risk, especially when there is less visibility into the origin of that code.

There is also increasing regulatory pressure. Again, that challenge isn't new — PCI DSS and HIPAA have been around for decades — but soon, software products intended to be sold to federal agencies will have to comply with standards generated from presidential executive orders on software supply chain security and secure software development frameworks, as well as provide self-attestation regarding the quality and security of that software.

So, yes, it's difficult, but not impossible. The good news is that there are solutions to those challenges, even at enterprise scale.

Set Your Goals

To start, it's crucial to set priorities and goals specific to your organization: What is your risk appetite? What are your critical testing needs? What tools and vendors will get you there? In short, figure out what success looks like and then make sure you have the tools, people, and services to help you measure it.

In the case of tools, that starts with consolidation. While application security testing (AST) tools are essential, too many organizations think that if a few tools are good, more are better and faster.

Not true. What has come to be labeled "tool sprawl" slows things down and can also make your software less secure. If there are too many tools bombarding developers with constant notifications, those developers will simply tune out the "noise" — the opposite of what you want. Data clutter from endless scans also makes it nearly impossible to measure success.

Yet according to multiple surveys, nearly three-quarters of organizations are using 10 or more AST tools. So the first task is to consolidate: Inventory your tools and eliminate those that are redundant or aren't absolutely necessary. The last thing you want is hundreds of applications being tested by dozens of tools across multiple teams. Bloat and complexity are the enemies of speed and visibility.

Then decide what you want those tools to do. Set priorities based on what needs the most protection. That requires an inventory of your existing software assets and applications. Assign them all a risk ranking: Which of them are behind a firewall and therefore much less likely to be exploitable, and which are most vulnerable to attack?

That will help you set success metrics. You don't need too many of them — perhaps time to triage, or time to remediate vulnerabilities — and they should align with the specific business objectives of an organization, which means they won't be the same for everybody.

These metrics will also guide how you configure your remaining AST tools to comply with your policies, which will then give you the visibility to measure the performance of your security program.

Finally, the way to help your security teams gain control of what could otherwise be chaos is to use an application security posture management (ASPM) tool.

As the analyst firm Gartner puts it, "ASPM tools continuously manage application risk through collection, analysis and prioritization of security issues from across the software life cycle. They ingest data from multiple sources, maintain an inventory of all software within an organization, [and] correlate and analyze findings for easier interpretation, triage and remediation."

In other words, they do the complicated stuff, so your developers won't have to.

They also help increase efficiency throughout the SDLC through "orchestration" — using the right tool to do the right test at the right time. And since most ASPM solutions are tool-agnostic, they provide visibility into which of your current tools are most effective.

Which is another way of helping you measure what success (or not) looks like.

About the Author

Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the expanding field of information security. Currently a senior infosec writer with Synopsys, Taylor previously has written for CSO Online and the Sophos blog Naked Security. When he's not writing, he hikes, bikes, golfs, and plays bluegrass music. Follow him on Twitter: @tarmerding2.