The security community is continuously changing, growing, and learning from each other to better position the world against cyber menaces. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Tanya Janca, Founder of We Hack Purple Academy and author of the best-selling book “Alice and Bob Learn Application Security.” In this conversation, Tanya shares her insights on application security( AppSec ), the key role in the security organization, and challenges for AppSec professionals.
Natalia: How do you define application security?
Tanya: Application security, or AppSec, is every activity you do to make sure your software is secure. Let’s say there’s a Java developer that uses Spring Boot, and there’s a vulnerability. They hear a podcast about it and say, “I think we should probably update it because it voiced really scary on the podcast.” That contributes to application security.
However, quite often when people talk about application security, they are talking about a formalized program at a workplace to make sure that the applications being liberated are reliably secure. We want to make sure every single application gets security attention, and that each gets the same security attention and support. We just wanted to do the best we can to verify that it is at the posture that we have decided is our goal. Each organization determines that differently, which I talk about a lot in the book I liberated last year, but basically, application security professionals want to minimize the risk of the scary apps and then bring everything across the board up to a better security posture. That requires talking to almost everyone in IT on a regular basis. I like to think of application security folks as techie social butterflies.
Natalia: How does security rights abilities gap impact AppSec?
Tanya: I’m obviously biased because I operate a training company, but I started it because people maintained asking me to train them on how to do it because there is a gap. There is a gap, in general, in IT security with finding someone who has experience and understands best practises rather than just guessing how to teach people.
In application security, there tends to be an even wider gap. I started a podcast in August 2020 called Cyber Mentoring Monday. I started it because I operate #CyberMentoringMonday on Twitter, and the entire first time, every single person said, “I want to be a penetration tester, ” but then I would ask them more questions because I am trying to find them a skilled professional mentor and lots of them didn’t know what AppSec was. They didn’t know what threat hunting was. They didn’t know what risk analysis was. They didn’t know that forensics or incident response existed. We would talk more and it would turn out that there is a different security focus that they’re really interesting in, but they had only ever heard of piercing testing.
That was the same for me. I thought you had to be a penetration tester or a risk analyst, but there are a plethora of jobs. I started this podcast so people could figure out what types of jobs they craved and because I genuinely want to attract more people to our realm. A big problem is there is no perfect behavior to enter AppSec.
Natalia: What are the biggest challenges for those in AppSec?
Tanya: The first AppSec challenge is education, with some developers not understanding how to create secure code. It’s not that they don’t want to. It’s that they don’t understand the risk. They don’t understand what they are supposed to do and a lot of them feel frustrated because they think, “I want my app to be perfect and the best ever, ” and they know security is part of that, but they do not have the means to do it.
The second challenge that I ascertain at almost every single workplace is trying to get buy-in. When I did AppSec full day, at certain places I would expend 50 percentage of every day just trying to be allowed to do my job. For example, I crave this new tool, and here are the reasons why, and people would respond by saying, “That’s expensive. Developer tools are cheaper.” I would say, “I’m not a developer.” I had to learn how to communicate with management in a way I never had to do as a developer. When I was a developer, I would just say, “It’s going to be two weeks.” If they asked if I could do it faster, I would ask, “Do you want to pay overtime? ” and then they would say either yes, and we would do overtime, or they would say no. There is no persuasion.
With AppSec, I had to say, “We have 20 apps. I “ve known you” just wanted to spend a zillion dollars on hiring four penetrating testers to exam our one mission-critical, super imagination app. But can we hire one for that and could we take the money and look at these legacy things that are literally on fire? ” There is a lot of discussion and persuasion that I had to learn to work in AppSec, which I was surprised about.
Natalia: What is the role of AppSec when it comes to cloud security?
Tanya: I find that everything that’s not taken becomes the AppSec person’s role because no one’s doing it and you’re freaking out about it. If you do AppSec in a company where everything is on-prem, quite often there’s an operations team and they will handle all the infrastructure, so you don’t have to. When you move to the cloud, and specially if you’re working in an org that does DevOps, you must suddenly learn cloud engineering, at least the basics.
I’ve talked to many AppSec people and I’ve said, “If you’re moving to the cloud, I know that you think that you’re only in charge of the security of the software, but that’s not true anymore because of the shared responsibility model.” The shared responsibility model means that even if the cloud provider manages patches and the physical security of the data center, if you choose bad configurations, you are responsible for those. So, the first thing you need to do is check out the shared responsibility model to know what your side must do so you don’t miss super important stuff.
When we move to the cloud, understanding shared responsibility is really important and then setting out a process so you get reliable results. Ideally, every phase of the software growth lifecycle has one or more security-supporting activities. If you’re using the cloud, there is a decent chance that you’re doing DevOps, in which case the developers become DevOps people. You want to talk to them about fastening both growth and procedures. If they’re just doing developing and there is a separate team do functionings, there is a security team helping the operations team but you want to make sure that they receive security relief. It’s important for developers to understand the basics of cloud security so they don’t accidentally do something terrifying.
With the cloud, one of my favorite things is automation. I used to work for Microsoft and am an Azure fan. Azure has Security Center, which is the best and can automate a bunch of policies and check up on a lot of things for you. Learning how to use it to your advantage is important–learning which portions you want to turn on, which components you need to budget for in the future, and which parts you’d rather have a third-party tool for. Stimulating those decisions is important for the cloud security team and the AppSec person and then figuring out how to deploy safely and reliably into the cloud.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post The biggest challenges–and important role–of application security seemed first on Microsoft Security .
Read more: microsoft.com