The application security (AppSec) industry moves fast. Development, security and operations (DevSecOps) practitioners are having to find creative approaches to drive productivity, efficiency and enhanced security across software development.At Uleska, we speak to a lot of people who either simply don’t know where to start or who get caught up in processes that become difficult to scale.
In this article, which is the first of a series of blogs, we share the top five hacks that experienced DevSecOps practitioners have discovered over the years. Let’s dive in.
“Curiosity is a superpower in application security. You don't have to be a penetration tester or weakness researcher - you need to be insatiably curious and creative. Be the person who asks "what if I did this?" and go find out - that's how cyber security flaws are found.”
“Raise findings from appsec scanning as early as possible in the CI process. Where possible, use things like IDE extensions to raise issues to devs as they write the code. The earlier devs receive these findings, the less they'll have to context switch and feel they've been interrupted.”
“Threat modelling a system generates an order of precedence for applying security controls, creating an impact-based list of defences that will tangibly increase an organisation's security. This is traditionally an application security practice, but extending it to infrastructure brings great benefits to a system before, during, and after its creation.”
“Use ‘Security Champions’ as much as you can. You’ll find people within the development teams who are good at security and can support the roll out of security tools and processes, helping them to be successful. Champions help scale security beyond the security team, and can give great feedback on how things are actually going.”
“Just like any job, don’t burn yourself out, take the weekends and vacations as you should. If the security of the company depends on you being there, doing things 24/7, then you're going to become a single point of failure in the process, and you’re going to fail. Look to set up processes and automation where you can, so you’re not on the critical path. That way you and the company will be better off.”
So, there we have it. The first Top Five AppSec Productivity Hacks of 2022. We look forward to tracking how the AppSec space matures over the next 12 months and we expect to see practitioners taking advantage of new ways of working with regard to culture, processes and tools.
Interestingly, the majority of tips submitted so far are not only technical hacks but rather improvements of processes and softer skills within security and development teams. Similar to many disciplines within the security landscape, the need for refreshed processes, skills and collaboration is often a more important consideration than purely technical skills.
We hope to continually collaborate with our network, tapping into this vast pool of expertise, to get a sense of how the application security landscape is evolving. We aim to highlight more hacks every quarter and we’d love to hear from you if you have any insights of your own.
Do you have any suggestions or tips around AppSec? If so, please email your contributions or ideas to Raquel at Uleska.
Uleska helps security and development teams manage application security at scale by automating and orchestrating their preferred security tools within CI/CD.
With Uleska, teams can confidently start an AppSec program using open-source, commercial, and custom tools and then quickly change, add or scale tools as the technology and business needs evolve. Uleska also brings speed and scale when integrating into development tools, and when reporting metrics and risk.
By bringing security, DevOps and development teams together, we help reduce manual tasks so application security takes less time and money, while also enabling scale. This allows teams to focus resources on the issues and metrics that matter. Interested? Find out more about us!
You may unsubscribe at any time using the unsubscribe link in the newsletter.