Published on

The Triad of Success in Application Security

Authors
  • avatar
    Name
    Nielet Dmello
    Twitter

Any Application Security practitioner that’s navigating the complexities of the playing field can attest to one fundamental truth- All successful application security programs hinge on the harmonious integration of this triad- Tools, People, and Process. Why is this important? Because when either one of these three isn’t functioning as expected, things start to cascade poorly at any organization in terms of the success of its application security programs.

Now the idea of this triad isn’t something novel. It's been around for decades. It was originally inspired by Harold Leavitt's Diamond model from the 1960s and further revitalized in security circles by Bruce Schneier.

So I thought it might be worth dissecting each of these and relating them to my experiences and where they stand today.

The Synergy of the Triad

alt_text

1. Tools: The Digital Arsenal

Organizations lean on a set of tools as the first line of defense both for prevention and detection purposes. This can involve tools that automatically scan code, infrastructure components, libraries and dependencies for vulnerabilities and potential threats. Some classic examples of commonplace tools that every organization will use in one way or another are-

  • Static Application Security Testing (SAST)
  • Software Composition Analysis Tools(SCA)
  • Cloud Security Posture Management (CSPM)
  • Security review questionnaires & automated guidance platforms

Now does that mean if you do not have any of these tools, you are insecure? Well you may never know when a vulnerability or a flaw may manifest in your systems but I also like this piece of commentary Ross makes in his article Blessed are the software engineers, for they shall inherit cybersecurity-

While tools are crucial, it's important to note that security is an inherent property of any piece of code. Even in the absence of dedicated application security tools or security engineers, code isn't inherently insecure. Like quality, security is woven into the fabric of software development. However, specialized tools and expertise significantly enhance our ability to identify and mitigate potential vulnerabilities, elevating the overall security posture of our applications.

I will also note that simply buying a vendor tool will not solve the problem (more on that in a future article) and many organizations will build custom tooling or plumbing for their particular use cases to best use tools in their ecosystem.

2. Process: The Guiding Framework

While tools provide the means, processes offer the method. A process outlines a systematic series of actions, steps, or procedures that guide how the tools should be used. They provide the "method" or the approach to accomplish a task effectively. Effective security processes ensure consistency and comprehensiveness to integrate security practices seamlessly into the Software Development Lifecycle (SDLC).

Some commonly seen processes around the industry are:

  • Secure Code reviews
  • Threat modeling
  • Application security reviews
  • Incident response planning
  • Security Risk review and reporting

3. People: The Human Element

We could have all the tools and all the processes and they could be perfected in their own way. However, there’s still the one element that cannot be discounted just yet. At Least, we collectively have not gotten to that point yet. Someday hopefully we will and I will be chilling at a beach sipping margarita in a cabana. Sigh..

Every tool and process in some way or another directly impacts the people (security engineers, developers, leadership teams, etc) in the organization. At the end of the day, it is they who need to take action upon the outcomes some way or another.

The true power of the described triad emerges when all three elements work in tandem. The tools augment and amplify human capabilities, processes guide consistent actions and behaviors, and people drive innovation and conscious security culture.

alt_text

No discussion of application security would be complete without acknowledging the constraints we face for the triad. Wendy Nather this as the (security poverty line)[https://www.uscybersecurity.net/csmag/the-cybersecurity-poverty-line/]. Here’s some I have noticed and can think of-

  1. Budgetary Constraints: With the end of ZIRP, budgetary constraints have been the most evident. This hits hard for teams trying to acquire new security tools or invest in headcount growth.

  2. Resource Allocation: In the fast-paced world of software development, security tasks often compete with feature development and project deadlines for attention and resources.

  3. Legacy Systems and Technical Debt: Outdated technologies, looming tech debt due to poor design decisions in retrospect, legacy systems are recipes for hard-to-fix vulnerabilities and systemic security flaws.

  4. Organizational Culture and Resistance to Change: Perhaps one of the most challenging aspects is overcoming resistance to new security practices both for the security engineers and the developers.

  5. Skills gap: Training engineers to build a solid mental model of what risks look like to an organization takes a lot of effort and custom focused education and training (beyond the compliance mandated security coding training).

  6. Scalability and Complexity: As organizations grow, so does the complexity of managing and scaling security. Navigating the above constraints requires a blend of strategic thinking, creativity, and persistence. It's about finding the right balance, making informed trade-offs, and continuously adapting our approaches to application security. Perfect security is an ideal, but practical and continuously improving security is achievable if each element of the triad gets the necessary balanced attention.

Aligning with Secure by design Philosophy

Secure by design means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure

The trio aligns closely with the Secure by Design approach to software development by integrating security into each element of the software development lifecycle (SDLC). Here's how they fit together:

1. Tools Secure by Design emphasizes selecting the right tools and technologies that inherently promote security. This means adopting secure frameworks, automated security testing tools (like static analysis or dependency scanning), and secure coding libraries.

  • Automation: Tools can automate security checks (CI/CD pipelines, code reviews, vulnerability scanning) and ensure security testing is part of the development process.
  • Technologies: Choosing secure languages, frameworks, and architectures (e.g., microservices or containerization with security controls) helps reduce attack surfaces from the ground up.

2. People The success of Secure by Design relies heavily on educating and empowering the people involved in building software. This includes:

  • Developer Training: Every one of us building software needs to be equipped with the fundamental security mental model (e.g., secure coding practices, secure design) to understand how their design, architecture, implementation and deployment decisions impact security.
  • Collaboration: Security teams must work closely with development and operations teams and vice versa ( airquotes DevSecOps) to ensure security is an integrated responsibility, not an afterthought.

3. Process Processes define how security is integrated throughout the SDLC. A Secure by Design process involves:

  • Threat modeling: Identifying and addressing potential security risks early in the design phase.
  • Security reviews: Regular security reviews (code audits, design reviews) are part of the standard workflow, ensuring security is considered at every stage.
  • Compliance: Adopting standards (e.g., OWASP, NIST) and maintaining regulatory compliance, as part of both development and post-deployment operations.

Conclusion

Application security is not a destination but a journey for all organizations. By thinking holistically about each element of the triad, we can build reasonably better security that shifts the burden from a reactive necessity to a proactive strength.