How to Jumpstart Your AppSec Journey
AppSec is a fundamental part of the modern digital landscape. As we transition into the cloud, application security is becoming intertwined with infrastructure security to ensure the safety of applications and user data. However, despite the fundamental nature of AppSec in a broader security program, it can be intimidating for organizations to get started. Interested organizations may want to get on with an AppSec program but be wary because they might not have a team or the right tools in place.
To help, we made episode 3 of Let’s Talk AppSecOps all about getting started with AppSec and putting a quick baseline in place from the infrastructure and DevOps perspective.
The challenges behind AppSec
“There were so many disparate systems that could potentially have pieces of information that you needed.”
A major challenge with getting started with AppSec is knowing where to start. With infrastructure, there are different approaches to threat detection and response that are all viable in their own right, like MDR, TDR, XDR, etc. These help identify vulnerabilities and contextualize them relevant to particular organizations. Then security professionals have to manually bring this data together in a spreadsheet. This can be challenging as most organizations might need more tools to combine this diagnostic data. The same holds for AppSec across different scanners and monitoring solutions.
SCA: An easy way to get started with AppSec
“This is the lowest false positive thing you're going to have.”
As manual tracking of open-source code gets increasingly tricky because of the exponential increase in development speeds, Source Composition Analysis or SCA provides an automated way to evaluate security and determine code quality. SCA can be very accessible as it is an easy-to-plug solution with very low false positive rates and levels of developer friction. There are excellent open-source and commercial tooling available, like Snyk, to get started.
SAST: The next step to identifying security vulnerabilities
After setting up SCA, next comes Static Application Security Testing or SAST, which scans an application’s code before compilation to weed out security vulnerabilities. SAST is an excellent follow-up to SCA as it helps achieve some level of adoption and provides a starting point. However, SAST can be more challenging to set up as it must be configured correctly, and there’s a lot more investigation that’s required.
An AppSec program that covers all bases: the left, the right, and the middle
Apart from traditional vulnerability management methods, modern AppSec programs should consider containerization solutions like Aqua Security that can protect cloud apps from attacks and pen testing software like Metasploit. These programs can immensely help cloud-based healthcare and finance systems. There are also great technologies like Horizon3.ai, which will do fully autonomous pen testing.
In the modern cybersecurity space, it is vital to have an AppSec program that covers left and right, while the middle can be covered by DAST or RASP. As everything moves to the cloud, AppSec is at the forefront of cybersecurity and should be prioritized by all organizations with an increasing digital presence and footprint.
To learn more about getting started with AppSec, listen to the full conversation between Mark and I in this episode of Let’s Talk AppSecOps.