In February, we hosted a virtual summit titled “Assembling the Pieces of the DevSecOps Puzzle.” The goal of the summit was to provide organizations with tools and information to implement a DevSecOps strategy and move it from theory into practice.
During one of the summit’s webinars, Pejman Pourmousa, VP of Program Management at Veracode, explained the importance of rethinking AppSec policies in a DevOps organization. With quicker release cycles and developers who want to write good code quickly, old policies won’t work and will most likely hinder development. You need new policies that are integrated throughout the SDLC, up to speed with DevOps, and right-sized to your security requirements.
An AppSec policy should be put in place to “really help get that DevSecOps operational” says Pourmousa. You want to think about what developers are focused on and what tools and automation they need to meet their goals.
What to Consider When Creating an AppSec Policy
Portfolio Criticality
- Business portfolio: is it business critical, public facing, etc.?
- Consider regulations, industry guidelines, and customer impact
Risk Tolerance
- Acceptable risk you are willing to take across your portfolio (keep it consistent)
- Identify flaw types that should NOT be in the application
Testing Techniques
- Establish required scan types and frequencies (static/dynamic/manual inspection)
- Create a consistent program instead of an ad-hoc approach
App Remediation Strategies
- If you do find flaws, what is your grace period for fixing them?
AppSec Policy Best Practices
Once you have established your policy guidelines, you want to consider Pourmousa’s policy best practices – the first being: implement achievable compliance. You want to set the bar low at first in order to promote adoption and then slowly introduce greater stringency once the team has adjusted. For example, to begin, you can institute weekly static scans with no high-severity flaws allowed. Later, when developers feel comfortable with the new procedure, testing frequency, disallowable flaw severity, and range of testing type can increase.
Additionally, it is important to have customized policies. All apps are not created equal, so different applications will need different policies and stringencies. Some may require testing more frequently, both static and dynamic testing, or stricter criteria for allowable flaws. Lastly, have a policy mandate. Although this process will be mostly governed by the security team, work with developers to set a clear compliance requirement before production or going live.
Getting Started
Now that you understand what AppSec policy is and what should be included, how do you actually implement it? First, establish your goals:
- Formalize criteria about when/what/how to test
- Determine standards for what is approved and given the “green light” to go to production
- Include everyone in the development process when establishing goals
- Design repeatable and measurable procedures
Second, hold a policy workshop to set guidelines surrounding:
- Defining: raise awareness on the team, answer questions, set goals and objectives
- Executing: gradually embed security policies, develop documentation to review and measure, gain approval from senior leadership, listen to feedback
- Optimizing: keep an open dialogue with the team, redefine the policy as needed, keep up to speed with DevOps
Third, stay up to date:
- Keep developers’ goals and needs in mind
- Educate team members and be transparent
- Continuously review and improve policies
- Listen to customers and users – is it working for them?
Adjusting to the speed of DevOps and implementing clear, achievable security policies requires thought, teamwork, and monitoring, but successful AppSec policies reduce cost, increase speed to market, and allow organizations to produce more secure, quality code.
Watch the complete AppSec Policies in a DevOps World session.