Bootstrapping an application security program is hard. Technology is only one part of the equation. You need to inventory your applications, get stakeholders on board, and then execute on the holy trinity of people, process, and technology. That’s why I was excited to see Hooper Kincannon, Cyber Security Engineer at Unum Group, present on “Secure from the Start: A Case Study on Software Security” at the Gartner Security & Risk Management Summit in National Harbor, MD. Hooper provided a great blue print for starting a DevSecOps program.
Sixty Vulnerabilities Are Reported Every Day, 27 Percent Are Never Fixed
Hooper began his presentation by outlining the current state of both software, and software security. He points out that while software is changing the world, it is also fundamentally flawed from a security perspective.
He points to some highlights from a study by Risk Based Security:
- More than 22,000 vulnerabilities were disclosed in 2018 – that’s about 60 per day.
- Almost a third of these (27%) were never fixed, so security professionals can’t just deploy a patch to improve their security posture.
- Web-related vulnerabilities accounted for nearly half of all reported security flaws, and more than two thirds were related to insufficient or improper validation of input.
- 33% received a severity rating of seven or above.
- OWASP Top 10 still account for two-thirds of the reported vulnerabilities.
What can we do about it? We can develop a secure software development lifecycle and try to stem the flow of the vulnerabilities being published in the first place. This is becoming increasingly difficult because more lines of code are be written than ever before (111 billion lines of code in 2016, trending up).
Software Is Becoming Mission Critical: Making the Case for AppSec
So what if Alexa won’t work or my app crashes? Both would probably only be minor annoyances, but software is also impacting us on a much larger scale. Not too long ago, people would be lucky if they had only a two-minute warning that a tornado was coming. Today, weather monitoring and modeling software can predict the formation and path of a tornado with stunning accuracy. And better still they can send text messages to those in danger – providing precious minutes to find shelter.
Farming is being transformed by software as well. Software monitors the moisture levels in soil, and irrigation systems connected to these sensors release the optimal amount of water into the soil. This way, the crops have what they need to grow, and not a drop of water is wasted. There are technologies that monitor crop growth and health and even harvest crops. In other words, software is tackling world hunger. That’s something worth protecting.
When you want to demonstrate to your stakeholders why application security is important to your organization, go back to your company’s mission and ladder up your argument to this ultimate goal. Unum offers disability, life and financial protection to its customers. If your mission is to help people at their most vulnerable moments in life, you need to ensure that they don’t have to worry about their identity being stolen as the result of a data breach in addition to having to figure out medical payments. Making this connection with the core mission can really help tell a story of why application security is crucial to the business.
Starting Out With the Right Questions
Before you can dive head first into your DevSecOps program, you need to ask yourself the right questions:
- Do you know your application portfolio?
- Do you have web application security policies defined?
- Who is responsible for the web application security program?
- Who is going to fund the program?
- What is your goal?
Only once you have answered these questions will you be able to find the right formula for your organization. Hooper laid out his program in the rest of the talk, but your organization may differ, so make sure that you ask these questions at the outset.
Building a DevSecOps Program from Scratch
Hooper started at Unum about three years ago as a member of their threat and vulnerability management team. At that point in time, they didn’t have a true web application security program, but they had a relationship with Veracode to assess their top-tier applications, and they were doing basic dynamic analysis with another vendor. At that point, Hooper was fortunate enough to get funding to help expand and mature the program.
Unum’s primary goal was to reduce risk, so he set out to discover and rate the risk of all of their applications. He helped define security policies for all web applications, including expectations and remediation SLAs. They also decided that security should be responsible for the administration of the AppSec program, and development would cover remediation.
Hooper chose to expand his relationship with Veracode, covering SAST, DAST, SCA, and eLearning. He also partnered with Veracode to provide live trainings for developers, and signed up for their program management and application security consulting services, which help onboard scrum teams and help developers fix security defects if they get stuck.
In a follow-up blog, we will delve into the details of Hooper’s AppSec program and his path to AppSec maturity.