An Introduction to AppSec and Why It’s Important to You

By 
Jennifer McLarnon
July 12, 2022

“Security and risk management leaders…should focus on orchestrating multiple application security innovations to serve as a coherent defense, rather than relying on a set of stand-alone products.” - Gartner’s Hype Cycle for Application Security, 2021

Application Security (AppSec) is the process of using different tools and practices to find threats, prevent attacks, and constantly enhance the security of applications.

Traditional security practices vs. new ones

Traditional approaches to application security involved manual code reviews, checks, and reporting, which would stretch for days. Implementing the resolutions would take longer, all of which proved to be a massive loss of time for developers. Most notably, security was treated as a separate, unrelated activity from other development processes. 

But now, traditional security practices have evolved and adapted to integrate with the need of the hour, which is higher, tighter security layers covering every aspect of the development cycle. 

Security is now increasingly ‘shifting left’ with more automation and is becoming a part of CI/CD pipelines, which eliminates threats right at the onset. The key difference? Everyone, not just the security team, is responsible for security now with vulnerability scanning and other checks put in place throughout the software lifecycle.

Why is this critical for software development today?

Today, apps are getting more complex, increasingly dependent on third-party libraries, and hurtling forward from ground zero to deployment at faster speeds sans thorough checks and protection in place, making them more vulnerable than ever. Some of the most common security risks include:

  • Integrating frameworks, libraries, and other software that are more susceptible to hacks
  • Incorrectly coded or insufficiently protected APIs
  • Using open source components
  • Weak coding and configuration of SQL, XSS, HTTP headers, etc.

Cybersecurity Ventures expects cybercrime to grow by 15% every year over the next five years, costing global economies US$10.5 trillion on an annual basis by 2025. The risks are high and so are the stakes, which makes implementing an AppSec program across your organization more urgent than ever.

Implementing AppSec for tighter security

For a business to experience tangible benefits, it’s important to create a culture of AppSec and implement a program that would streamline people, processes, and technology. Feeling overwhelmed at the thought? The good news is that you don’t need to start from scratch. Here are three things that will simplify the process.

Leverage existing frameworks

It’s easier to leverage some of the frameworks and models already in place. The OWASP Software Assurance Maturity Model (SAMM), for instance, can help you plan, design, track, and enhance your AppSec program right from the start. Most importantly, it can help create a roadmap to keep your goals and timelines in clear sight to track your progress.

Start building a culture

Keep realistic goals that are fairly achievable to begin with. Rome wasn’t built in a day and so isn’t an entire security program. Start by garnering the interest of a few developers, get them to work with a security specialist, and define secure coding practices for wider absorption. AppSec is a culture, and if you’ve to build it, start with the people.

Know your applications

Create an inventory of your applications and pay attention to the architecture to know what you are up against. You can then sort them in terms of vulnerability, importance to business, adherence to compliance and other factors which will help prioritize and meet your goals.

Conclusion

Whether you have a small team of 5 or multiple ones across geographies the challenges are the same. It’s the scale that differs and once you know where to start, it’s a matter of empowering your developers with the right processes, tools, and knowledge. And soon you’re on your way to developing highly secure products, faster.

Jennifer McLarnon
Security Consulting Senior Manager, Accenture