Over October 2022, for NCSAM, I shared thirty-one random AppSec thoughts. For some of these thoughts, I’ve pointed to other writings I’ve prepared covering the topics more in-depth.
- Shift left and shift right = Secure Development Lifecycle. What’s old is new again.
- With all the attention on API security, we often overlook the OWASP API Security Top Ten.
- The OWASP Proactive Controls is the answer to how to fix/avoid the issues of the OWASP Top Ten.
- #ThreatModeling is analyzing representations of a system, to uncover the security and privacy challenges that exist.
- Read more — The best threat modeling representation
- Why do we have so many 4-letter acronyms in #AppSec? SAST, DAST, IAST, and RASP, oh my!
- Security culture is measured by what your developers do with a security problem when nobody is looking.
- Security champions are a force multiplier for your security team.
- Imagine a future where all developers are security enlightened.
- Everyone is a security person — no matter your functional role within the organization, you own a piece of the security solution.
- Security culture eats strategy for breakfast.
- People, process, tools, and GOVERNANCE. Governance is the piece that everyone always forgets.
- Security should never be a gatekeeper — security should open doors, not shut them.
- Regardless of how much effort you put into breaking, security is no better until the builders engage.
- OWASP is a treasure trove of security resources.
- Read more — How to do application security on a budget
- Break the build for vulnerable open source and third-party, but provide a filtering mechanism to allow builds to progress when there is no known fix.
- Shift {left, right, outwards} – just start.
- The Sec in #DevOps is silent.
- GitHub is a terrible place to store secrets.
- Teach the developers the underlying principles of the tools, and then watch how the tools magnify #AppSec.
- Security requires the ability to sell and market. The best security people can explain their idea well, share the value prop, and communicate.
- Developers take pride in their craft — they want to create more secure code — you must show them the way.
- Pipelines are the best way to represent a #DevSecOps build pipeline.
- Developers must understand all the component pieces of the build pipeline. Developers are smart — they’ll provide feedback on those pieces and help tune the tools.
- Launching a new security tool does not mean we enable every policy — increasing the fidelity of the security tool results in developer buy-in.
- Security people must learn how to code. The resources on the Internet are vast, and the excuses for why you don’t need to code are few.
- The DevSecOps Maturity Model (DSOMM) is an assessment tool for your DevSecOps and a builder of roadmaps.
- As a security professional, drop the no; try “yes, if.” Be a partner and not a roadblock.
- Threat modeling uncovers design-related issues, and the best threat modeling tool is the human brain.
- Guard rails are a better strategy than roadblocks. Provide limits, and encourage creativity within the boundaries.
- At the end of the day, #AppSec is a people-based solution, with support from the process and the tools.
- We have too many data streams in an #AppSec program; look for tools to correlate and consolidate the streams into developer-usable results.