Application Security Manager. Developer or security?
Most successful attacks of an organization are implemented through vulnerabilities and bookmarks in software. Fortunately, a software vulnerability scanner is not already considered by companies as something exotic, but as a necessary element of the protection infrastructure. If with small volumes of development you can use the as is scanner, then when the volumes are large, you have to automate the process. But who should manage it? Decide how often to check releases? Vulnerability verification? Decide whether to veto the release and send code to fix the vulnerabilities? And answer many other questions. This is where Application Security Manager, the manager of secure software development, comes to the forefront.
But where to find such a rare bird or how to grow it yourself? Artem Bychkov, application security manager at Raiffeisenbank JSC, and Daniil Chernov, head of Rostelecom Solar, Solar appScreener, describe the requirements for application security manager dictated by development practices in Russian companies.
Organizations sooner or later come to the realization of the need to hire such a person on the team. In particular, because none of the specialists available in the company is directly suitable for this role. Developers? Their work experience is connected specifically with the development of software - it is very difficult for them to translate the vulnerabilities found into IS risks, and even more so the risks for business. The security guards? Immersion in the intricacies of development is problematic for them: to verify vulnerabilities, one must be able to understand software codes in different languages, which requires serious development experience.
Let's look at the tasks that arise during the implementation of the safe development process, which are to be addressed by the Application Security Manager (AFM).
The reader may have the opinion that the work of the AFM is solely related to the verification of software developments for compliance with safety requirements. But security issues arise at various stages of the system’s life cycle, from design to deployment to production. There are various models for building a safe development cycle (Software Security Touchpoints, SDLC and others) and various methods for embedding these practices in the process (depending on the approach used - waterfall, agile). But they all agree on key points: you need to think about security at all stages of the system’s life cycle.
Obviously, in the framework of a more or less large project, one person is unlikely to be able to perform work at all stages. It is rare that anyone alone is able to develop application security requirements, perform a review of its architecture and verify the result of analysts' work, conduct a code security audit, verify that the necessary application security tests were carried out during testing, and that the system was safely deployed and correctly configured. Moreover, often these activities are carried out by representatives of different teams and units. For the whole mechanism to work as it should, the driving force of the process should be AFM. The task of AFM is to ensure the implementation of safe development practices, either on their own or by delegating certain tasks to specialized specialists. However, based on our practice,
Firstly, he is required to understand the project that he accompanies. This is especially important in agile development, when, unlike the waterfall model, you do not have 2 months to conduct a review before release. It depends on the AFM, for example, how the requirements formed at the design stage will be interpreted by the team, how they will fall on the architecture, whether they are generally realizable and whether they will create serious technical problems in the future. Most often, AFM is the main consumer, interpreter and evaluator of reports of automated instruments and audits made by third parties. It is the AFM that filters out irrelevant and erroneous results, evaluates risks, and participates in the processes of managing exceptions and developing compensatory measures.
Here is a life example: an audit or a source code scanner revealed the use of an insecure hash function (MD5) in a project. The company’s policy formally insists that it cannot be used, and the vendor agrees to replace the function with a more secure one in 3 months and a large amount. The nuance was that in this case, the instability of the hash function against collisions did not affect the security of the system, since the function was not used to protect the integrity. The formal approach in this case and the replacement of one function by another led to an unreasonably delayed time for the output of the project to be productive and significant costs, giving a zero gain in security.
Secondly, in addition to the first, the AFM should have knowledge from various fields: you need to understand the development processes and the principles of information security. “Hard skills” are also important, because it is very difficult to critically evaluate the results of the work of specialized specialists and automated tools, if you can’t read the code, you don’t understand the possible ways of exploiting vulnerabilities. Surely, many were faced with a situation where a critical vulnerability appears in the code analysis or pentest report, but the developers do not agree with this (and, as a rule, they also want to create a secure system) and indicate that the auditors were unable to operate this vulnerabilities. How to evaluate who is right in a similar situation? Without technical skills, objectively resolving a dispute will be difficult.
Another life example: a new development tool is being introduced, its performance is checked on a reference project, after which it is transferred to commercial operation. Projects are gradually connected to it, a beautiful green dashboard is drawn ... and here an information security incident occurs. As it turns out, the used “hole” should have been detected at the stage of dynamic analysis. But this did not happen, because ... no one looked, but how does this top-end vulnerability scanner, which usually produces excellent results, work with SPA applications using the new JavaScript framework. It turned out that he could not “see” the dynamically generated authentication form and make the necessary checks. And no one paid attention to it, because everything worked. The developers had no need to delve into the specifics of the functioning of the scanners,
Those who studied the market must have faced an acute shortage of application security experts. Typically, the scenario is as follows: internal customers draw up requirements for the candidate and transfer them to the staff. If the requirements are stringent, then according to the results of a free search, the company receives zero candidates, since ready-made specialists very rarely post resumes in the public domain. If they change jobs, then this most often happens easily and naturally through existing contacts. How to be
You can try to lure a professional from other companies, but this path is not always acceptable for various reasons. More and more often, competitions for outstaffing AFM appear on the market, which quite successfully allows you to close the issue by renting experts from a service provider.
But there is another option. You can try to grow your professional. Representatives of two areas may be suitable candidates for this role:
Both those and other candidates will need to master the missing knowledge package. At the same time, people from the development who wish to “reforge” will have a better understanding of the existing culture and processes in the teams they know. It can take them quite a bit of time to master the areas of knowledge related to information security. However, experience shows that among developers, testers, analysts and architects, you can find people interested in security who already have a certain set of knowledge in the field of application security. They can be ideal candidates for an AFM job.
Professional security guards will have to acclimatize, changing existing familiar approaches to organizing work and adopting culture in the development teams. However, if a security specialist writes code and is familiar with the development processes, then he will join the team quickly and simply.
Development security control is primarily a business process, for the successful functioning of which a coordinated interaction of all team members is necessary. The "heart" of this process is a qualified AFM - it is both the inspirer, and the directional engine, and the executor of many tasks, and the controlling manager, and many others. In general, the reader, and the reaper, and the dude are on the pipe. Finding or raising such a specialist is not easy, but if you succeed, then everyone will be happy.
But where to find such a rare bird or how to grow it yourself? Artem Bychkov, application security manager at Raiffeisenbank JSC, and Daniil Chernov, head of Rostelecom Solar, Solar appScreener, describe the requirements for application security manager dictated by development practices in Russian companies.
Who is Application Security Manager
Organizations sooner or later come to the realization of the need to hire such a person on the team. In particular, because none of the specialists available in the company is directly suitable for this role. Developers? Their work experience is connected specifically with the development of software - it is very difficult for them to translate the vulnerabilities found into IS risks, and even more so the risks for business. The security guards? Immersion in the intricacies of development is problematic for them: to verify vulnerabilities, one must be able to understand software codes in different languages, which requires serious development experience.
Let's look at the tasks that arise during the implementation of the safe development process, which are to be addressed by the Application Security Manager (AFM).
The reader may have the opinion that the work of the AFM is solely related to the verification of software developments for compliance with safety requirements. But security issues arise at various stages of the system’s life cycle, from design to deployment to production. There are various models for building a safe development cycle (Software Security Touchpoints, SDLC and others) and various methods for embedding these practices in the process (depending on the approach used - waterfall, agile). But they all agree on key points: you need to think about security at all stages of the system’s life cycle.
Obviously, in the framework of a more or less large project, one person is unlikely to be able to perform work at all stages. It is rare that anyone alone is able to develop application security requirements, perform a review of its architecture and verify the result of analysts' work, conduct a code security audit, verify that the necessary application security tests were carried out during testing, and that the system was safely deployed and correctly configured. Moreover, often these activities are carried out by representatives of different teams and units. For the whole mechanism to work as it should, the driving force of the process should be AFM. The task of AFM is to ensure the implementation of safe development practices, either on their own or by delegating certain tasks to specialized specialists. However, based on our practice,
What are the requirements for AFM
Firstly, he is required to understand the project that he accompanies. This is especially important in agile development, when, unlike the waterfall model, you do not have 2 months to conduct a review before release. It depends on the AFM, for example, how the requirements formed at the design stage will be interpreted by the team, how they will fall on the architecture, whether they are generally realizable and whether they will create serious technical problems in the future. Most often, AFM is the main consumer, interpreter and evaluator of reports of automated instruments and audits made by third parties. It is the AFM that filters out irrelevant and erroneous results, evaluates risks, and participates in the processes of managing exceptions and developing compensatory measures.
Here is a life example: an audit or a source code scanner revealed the use of an insecure hash function (MD5) in a project. The company’s policy formally insists that it cannot be used, and the vendor agrees to replace the function with a more secure one in 3 months and a large amount. The nuance was that in this case, the instability of the hash function against collisions did not affect the security of the system, since the function was not used to protect the integrity. The formal approach in this case and the replacement of one function by another led to an unreasonably delayed time for the output of the project to be productive and significant costs, giving a zero gain in security.
Secondly, in addition to the first, the AFM should have knowledge from various fields: you need to understand the development processes and the principles of information security. “Hard skills” are also important, because it is very difficult to critically evaluate the results of the work of specialized specialists and automated tools, if you can’t read the code, you don’t understand the possible ways of exploiting vulnerabilities. Surely, many were faced with a situation where a critical vulnerability appears in the code analysis or pentest report, but the developers do not agree with this (and, as a rule, they also want to create a secure system) and indicate that the auditors were unable to operate this vulnerabilities. How to evaluate who is right in a similar situation? Without technical skills, objectively resolving a dispute will be difficult.
Another life example: a new development tool is being introduced, its performance is checked on a reference project, after which it is transferred to commercial operation. Projects are gradually connected to it, a beautiful green dashboard is drawn ... and here an information security incident occurs. As it turns out, the used “hole” should have been detected at the stage of dynamic analysis. But this did not happen, because ... no one looked, but how does this top-end vulnerability scanner, which usually produces excellent results, work with SPA applications using the new JavaScript framework. It turned out that he could not “see” the dynamically generated authentication form and make the necessary checks. And no one paid attention to it, because everything worked. The developers had no need to delve into the specifics of the functioning of the scanners,
Where to get such a specialist
Those who studied the market must have faced an acute shortage of application security experts. Typically, the scenario is as follows: internal customers draw up requirements for the candidate and transfer them to the staff. If the requirements are stringent, then according to the results of a free search, the company receives zero candidates, since ready-made specialists very rarely post resumes in the public domain. If they change jobs, then this most often happens easily and naturally through existing contacts. How to be
You can try to lure a professional from other companies, but this path is not always acceptable for various reasons. More and more often, competitions for outstaffing AFM appear on the market, which quite successfully allows you to close the issue by renting experts from a service provider.
But there is another option. You can try to grow your professional. Representatives of two areas may be suitable candidates for this role:
- people from development who are fond of or want to develop in the field of security;
- tech guards who are familiar with software development and security and want to dive deeper into this topic.
Both those and other candidates will need to master the missing knowledge package. At the same time, people from the development who wish to “reforge” will have a better understanding of the existing culture and processes in the teams they know. It can take them quite a bit of time to master the areas of knowledge related to information security. However, experience shows that among developers, testers, analysts and architects, you can find people interested in security who already have a certain set of knowledge in the field of application security. They can be ideal candidates for an AFM job.
Professional security guards will have to acclimatize, changing existing familiar approaches to organizing work and adopting culture in the development teams. However, if a security specialist writes code and is familiar with the development processes, then he will join the team quickly and simply.
Total
Development security control is primarily a business process, for the successful functioning of which a coordinated interaction of all team members is necessary. The "heart" of this process is a qualified AFM - it is both the inspirer, and the directional engine, and the executor of many tasks, and the controlling manager, and many others. In general, the reader, and the reaper, and the dude are on the pipe. Finding or raising such a specialist is not easy, but if you succeed, then everyone will be happy.