It’s been months in the making. It promises to generate new revenue for the business. And there’s one team that hasn’t seen it yet. We’re talking about your shiny new web application. Back in the day, it used to be that development would create an application, throw it over the wall to security to review, and security would return back a laundry list of issues that needed to be fixed before it could be pushed to production. Or, perhaps worse, apps are reviewed only after they are pushed to production. Not only is this risky business, it’s also costly, not to mention slow.
Businesses today are quickly realizing that this process is as broken as a 1920’s record. To stay competitive, companies need to run fast, but they also know they can’t do so at the expense of security. When testing an application in production, it’s much more likely to be exposed to an attack, which is why more and more companies want to shift their software development lifecycle (SDLC) from a culture of testing post-launch to a culture of integrating web application security into the development lifecycle. Trouble is, they’re not sure how to go about doing so. This requires breaking down age-old barriers and bridging the gap between security and development teams.
In this post, we’ll explain step-by-step how to break down the wall that exists between development and security teams for better web application security testing.
1. Develop a common set of goals
Security and development teams are often working towards different goals. While development needs to move fast, security needs to move with caution. Naturally, this has caused quite a bit of tension when it comes to web application security, but it’s high time this tension was met with ease.
To start, it’s important that security and development leaders are eager and ready for this transformation, as it’s up to them to start the conversation and implement a new way of thinking. Early on in the process, leadership from both teams must work together to determine common goals. Most often, it’s the desire to run fast and secure that brings teams closer together. It’s also important to recognize that security can be a major competitive advantage to the business, as more and more customers are demanding it before signing on the dotted line.
Once the goals are agreed upon, it’s time to get to work. Begin by defining the tasks and processes required to meet each goal, many of which we will cover throughout the rest of this post.
2. Encourage bi-directional communication
When goals are aligned, communication becomes a lot easier. Not only that, but if both teams can speak the same language, it’s easier for everyone to be in the loop and spot issues and resolutions early on. For example, the word ‘vulnerabilities’ means two different things depending on your role. Security teams know them as potential serious threats to the company, whereas development teams think of them as bugs. If a common language isn’t defined around words like these, urgency and attention to issues may not be handled appropriately. Early on in the process, define common words both teams use and establish concrete definitions so that when they come up in conversation, the definition and urgency of the matter is clear on all ends.
We recommend establishing a common place where conversations like these can be had, whether it’s a dedicated Slack channel, a weekly standup, or the like. This can provide a level of visibility into daily activities that most organizations haven’t had before — but desperately need.
With a place to converge, teams can more easily collaborate, discuss issues early on, and develop comradery.
3. Implement unified processes and tools
Without a collaborative process in place, it can be impossible to work together. If you’ve ever asked the development team to fix an issue on your schedule, you know this first-hand. Development teams are already busy with many, many other tasks and can’t easily prioritize on-the-fly security fixes without advanced notice.
Issues like these can altogether be eliminated if teams can begin using the same tools and end-to-end workflows. Using a Rapid7 application security solution can do exactly this. By integrating appsec with a continuous integration (CI) tool such as Jenkins to automate your web app security scans, issues can be detected the moment a new build is created. From here, solutions like InsightAppSec can integrate with a ticketing system such as JIRA so that vulnerabilities and issues are appropriately submitted and categorized for the development team using a workflow to which they are accustomed.
By embedding security and development tasks into one or a few shared tools, you can automatically report and prioritize security fixes and implement better security much earlier on in the development lifecycle.
4. Establish an employee security training program
All employees, security or not, should receive security awareness training as part of their onboarding process. Security vulnerabilities are simply too prevalent today to be the concern of a select few. Done right, security is the job of the collective.
All employees should be trained on the systems and security processes they are required to use in order to do their jobs securely. This should include the use of VPNs, two-factor authentication, encryption, and more. This training should be a crucial part of your employee onboarding program, and it should continue well beyond it, too. Having monthly or quarterly security awareness training sessions can help to enforce security best practices. Whether you host a brown bag lunch or a more formal half-day session, the purpose should be to further your employees’ understanding of security, discuss recent breaches, and teach new security practices that they can follow to continue protecting the business from the latest threats.
It’s also in your best interest to further train those who are closest to your code — namely your developers. They should be trained and up-to-date on secure coding practices, which can make your job and theirs a lot easier when it comes to web application security testing.
Security training goes beyond just breaking down silos between security and development, it opens up the security conversation to the entire organization. This enables everyone to be a security advocate, which strengthens your organization’s security posture as a whole.
Security + development: better insights to remediate application security issues faster
The security conversation is quickly changing for organizations large and small alike. By breaking down the barriers that have traditionally separated security and development teams, they can begin to work in unison towards similar goals, not in opposition towards differing goals.
Follow the four tips laid out in this post and you will be well on your way to a new and improved web application security posture.
Begin bridging the gap between security and development with InsightAppSec.