Application Security (AppSec) is a robust domain with myriad specialties, tools, and best practices. That said, it can be helpful for organizations to understand where to focus and how to get started. In this article, we will take a look at five of the top best practices to adopt to bolster your application security.
Utilize a software security maturity model.
Understanding where to get started with application software security can be a daunting task. That’s why adopting a maturity model, such as Synopsys’ Building Security in Maturity Model (BSIMM) or OWASP’s Software Assurance Maturity Model (SAMM) can be a great place to start. These frameworks help point you in the right direction on how to plan, implement, and measure software security initiatives.
They describe fundamental best practices, tactics, and methodologies to include in the various phases of the software development life cycle (SDLC). For example, SAM breaks down its practices across the various business functions of Governance, Design, Implementation, Verification, and Operations. There is also the newly published NIST Secure Software Development Framework (SSDF), which makes use of emerging approaches, such as the Software Bill of Materials (SBOM) and attestations.
Implement an approach to DevSecOps.
If there’s one thing that has been evident from the past several years in cybersecurity, it is the need to shift security left, as it has been called, and introduce security earlier in the SDLC.
As defined by NIST, “DevSecOps helps ensure security is addressed as part of all DevOps practices by integrating security practices and automatically generating security and compliance artifacts throughout the process.” This means not just integrating security throughout the SDLC, but also producing verifiable and trustworthy artifacts to attest to the processes and activities that occurred. Doing so bolsters the assurance in the software delivered and the truth that can be placed in its integrity.
Have an accurate inventory.
As the age-old saying in cybersecurity goes, you can’t defend what you don’t know exists. This applies to software and applications as much as hardware. The significant difference is that hardware is physical and tangible, whereas getting an accurate software inventory could potentially be even more difficult to do in large enterprise environments. There’s a reason that “Inventory and Control of Software Assets” is listed as #2 on the CIS Critical Security Controls list.
Encrypt your data.
It’s said that data is the new oil, due to the business value that data provides. Even so, data is also the primary target for malicious actors. This is why it is critical to encrypt your data — no matter if you’re talking data at rest, in transit, or even in use — with emerging encryption technologies and capabilities. Things inevitably can and will go wrong.
However, having data encrypted and practicing proper encryption key management can go a long way in mitigating the impact of malicious actors. The importance of encryption is pointed out in the CISA Zero Trust Maturity Model, which emphasizes optimal Zero Trust posture as all data being encrypted both at rest and to internal and external locations whenever possible.
Automate, automate, automate.
The cybersecurity skills shortage is a known problem at this point and has been for years. Everyone is aware that organizations of all shapes, sizes, and industries are struggling to attract and retain enough cybersecurity talent. This is why it is critical to automate as much of your security as possible, not to mention to reap the benefits of speed, to minimize exploit windows and eliminate the risk of human error.
If you automate poor activities, you’ve just made bad things happen faster. As such, it’s important to ensure that you’re automating the right things in the right ways.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: