The Road to DevSecOps: Addressing the Challenges of AppSec Awareness

Stephen: Since our world relies heavily on software, today more than ever before, software must equal security. In this context, what are your thoughts on the origin of software vulnerabilities?

Recently, I had an opportunity to sit down with Kurt Risley and ask him about his experiences and observations when working with organizations who desire to develop a comprehensive AppSec Awareness Program. The Q&A is as follows:

  • There are 22M software developers around the world (Evans Data),
  • 90% of security incidents result from defects in the software design or code (DHS),
  • 21% of data breaches are the result of software vulnerabilities (Verizon),
  • 1 in 3 of newly scanned applications had SQL injection vulnerabilities over the past 5 years (Cisco),
  • And there is a 100 to 1 ratio of developers as compared to application security personnel (SANS).

Today, most organizations want to increase awareness and security, and this includes leveraging practical materials for software developers about best practices and common pitfalls throughout the various steps needed to accomplish this goal. An AppSec Awareness Program should primarily target your software development community first, and it must be performed and tracked on a regular basis.

Kurt: Almost all research into the origin points to the lack of secure coding education, training, awareness, and skills. In fact, 70 percent of developers indicate they lack the necessary training to adequately secure the software they develop. In addition,

Stephen: How does your conversation typically start with an organization around an AppSec Awareness Program?

Therefore, the best place to start is from the beginning with the developers themselves. However, the reality is that today’s developers have other priorities like deadlines, functional bugs vs. vulnerabilities, new languages, expansion of software utilization, increasing projects, etc.

Although some organizations have mandatory compliance requirements such as PCI, GDPR, etc., their current program is not well conceived to adequately address their compliance mandates. Today, AppSec awareness is no longer an option.

Kurt: I typically ask the organization this basic question first, “Do you currently have an AppSec Awareness Program in place for your developers?” Most customers I speak with either have an informal program, where the developer is required to take a certain amount of training, while others have nothing in place whatsoever, but really desire to take it to the next level. It’s nearly the same no matter who I talk to.

Stephen: What does a workable and proven AppSec Awareness Program look like and how do you kickstart one?

Now in the context of an official awareness program, these are the most common questions I get: “How do we put a formal program together for our developers?  Where do we get started?  How do we get engagement from the developers where it’s fun and not the typical training where everyone rolls their eyes?”  To be honest, answering these questions on a daily basis is where I have been spending most of my time.

Here are the 4 key areas that must be addressed to obtaining key stakeholder buy-in:

Kurt: There are some key milestones and approaches that any organization can adopt. First, we want a commitment from leadership. This is critical. Executive sponsorship is a key success factor, but it doesn’t mean you have to have it, to roll out a program for your developers.

Second, address the questions from your executives concerning, “What’s in it for me?” I usually answer with this:

First, communicate with your executive team about the what, why, and how of an AppSec Awareness Program—typically, the goals and benefits of the program.

Finally, address the questions from your development managers concerning, “What’s in it for me?” I usually start with this:

  • It strengthens ties between developers and security teams.
  • It reduces software risk and mitigates business risk.
  • It helps demonstrate that you are a security-driven organization to your customers (which is important to all organizations.)

Next, discuss with your software development managers about the goals and benefits of the program, primarily from their perspective.

Kurt: Let’s talk about an organizational structure first, and what that setup looks like a little more in detail.

  • It reduces the amount of costly security bugs delaying software delivery and deployment.
  • It puts security in the foreground of software development and incorporates security as a best coding practice, organization wide.
  • It improves collaboration between the security team and developers.
  • It provides an easy way to identify and measure security skills among new hires and candidates.

Stephen: What is the best way to organize an approach to a solution setup?”

Kurt: You must be proactive and as a result, you’ll reduce risk in your organization. What I mean by being proactive should entail:

  • Rollout: Using teams make the rollout more structured and easier to manage long term. That could be done by geography, by business units, by application, by language, etc.
  • Launch: Communicate with developers on the specifics of the rollout. Clearly explain the goals and objectives and make it clear that this will be fun and very productive. This will not be a time-consuming sink.
  • Assess: Get a baseline at the beginning of your program. Wouldn’t it be nice to continuously assess your developer organization and understand where their strengths are, and then understand areas that need improvement?
  • Takeaway: There are many benefits to this approach and the key takeaway is now you can demonstrate the value to leadership after training has been conducted and the areas that have been increasingly improved.
  • ROI: This delivers measurable KPIs that results in a proven accelerated ROI, which is a significant return on your initial and long-term investment for the cost of an official program.

Stephen: Then, what should happen next?

This post was first first published on Blog – Checkmarx’s website by Stephen Gates. You can view it by clicking here