How to Assess Application Security
Assessments are a clever way to gauge the performance of any given thing, whether it’s a team hitting KPIs, your knowledge of geography, or how quickly a website loads in the browser. Without assessments, you have no benchmark to determine whether something is performing well, as expected, or is failing to meet expectations.
Application security is no different.
If you have no idea of how secure your application is via benchmarking, how can you say with confidence how secure it is based simply on what you think is going on? An AppSec assessment shows where your application vulnerabilities lie and thus what you should do about them.
42% of respondents indicate they have unmanaged risk within their portfolio - State of Application Security Operations 2022 Report
How often should you assess application security?
Assessing application security can be done on an as-needed basis or continuously as part of a wider DevSecOps process. While the latter is preferred for mature organizations, everyone needs to start somewhere, so this may be on an as-needed basis to begin with. For these, assessment schedules vary from organization to organization and may need to be more regular in highly security-conscious industries and verticals. A good rule of thumb is to conduct an assessment at least once a year.
Thankfully, the first time you perform an assessment is the most time-consuming. Once you’ve run an assessment for the first time, you’ll have in place a series of documented processes to follow next time, as well as learn some lessons in organization and documentation for the next time around. It can also be of assistance in determining what sort of solution is the best fit for continuous application security monitoring within your business.
In-house vs external web application security assessment
The decision of whether to conduct an AppSec assessment in-house, via an external party, or with the help of an external consultant is always up to you. Organizations that have no team leaders with experience in AppSec assessments often decide to bring in a consultant to help them organize resources, document everything, and conduct the assessment, as well as help with recommendations. For companies with limited on-staff resourcing, the entire process may be outsourced to an external party, instead choosing a point of contact within the internal team to be in charge of in-house management and operations.
How to prepare for your first AppSec assessment
Preparing for an AppSec assessment is just as important as carrying out the assessment itself. Here are the steps required before undergoing an assessment:
Identify all assets
Listen: LTAPod #14 – Discovering Assets and Determining Ownership
Mapping all your assets is the first step in preparing for your AppSec assessment. Here, you will need to not only identify your code assets, but systems infrastructure and software, too, as well as third-party libraries, APIs, etc. which plug into your systems.
Identify sensitive data
To determine the risk of particular assets, you must be aware of where sensitive data lies and how it is processed.
Identify current controls
Controls come both in the form of identity and access management, as well as systems in place such as firewalls and encryption of data. Controls can be listed against assets or vice versa.
Identify threats
While covering the complete threat landscape might feel like an impossible undertaking, you must be able to identify the most common and likely threats to your application security. A good start is OWASP’s Top 10 Web Application Security Risks and the CWE Top 25.
What to cover in an AppSec assessment
Assessing your applications should be done at every stage of the Secure Software Development Lifecycle, from build to production. Several different types of scanners can help you identify issues as your applications move through development.
Source code scanning
Static analysis (SAST) involves running a checker over any internal source code to determine if there are any vulnerabilities apparent just within the code. This may occur from security defects like buffer overflows and hardcoded credentials. Apps do not need to be running for a SAST solution to do its job.
Applications scanning
Applications must be scanned with vulnerability scanning tools that help detect where current vulnerabilities might lie, in terms of threats like SQL injection, broken authentications, and insecure server configurations. This is particularly important in perimeter monitoring, where we discover all public-facing applications or components. A deeper level of web application security assessment scanning will involve other components that may not be on the web perimeter, but further along the software supply chain.
Dynamic application security testing (DAST) involves running software and simulating outsider attacks to determine the exposure of the system for application vulnerability assessment.
Vendor application testing
Along the software supply chain, you’ll have third-party apps and services. These should also be scanned for security vulnerability assessment and to ensure they are all up to date.
A note on Interactive Application Security Testing (IAST)
Interactive Application Security Testing (IAST) is considered to be a combination of both SAST and DAST tools and is a solution that slots into the CI/CD process. DAST functions are automated so that they are triggered on certain events in the pipeline such as code commits. An IAST tool may be a more comprehensive solution to deploy for those who have never run an application security assessment, however, it can take longer to introduce it into your environment.
How to choose your application security assessment tools
Choosing an application security assessment vendor is contingent on the business constraints you have and the outcomes you wish to achieve from the assessment. For some, low-cost solutions are important, which may mean a combination of open-source tools and in-house scripting for coordination. This hacked-together approach does add up over the longer term, however, as it means that it is near impossible to do DevSecOps, and rather that AppSec is an afterthought, a set-and-run activity.
More sophisticated commercial solutions can be deployed to monitor your asset landscape, triage and alert on vulnerabilities based on risk profiles, and inform developers in their environment where changes need to occur. A continuous application security assessment solution should be a priority for software development houses, much like is already the case with continuous infrastructure security.
Reporting and recommendations post-assessment
Once the application security assessment has been performed, there will be indications of where vulnerabilities lie within your application landscape. Based on the risk profile of each, these vulnerabilities can then be patched, in priority order, to best prevent security incidents from occurring and improve the security posture of your applications.
Listen: LTAPod #7 – Vulnerability Management - What? When? How?
Your application security assessment and management doesn’t have to be tedious and confusing. With the ArmorCode AppSecOps platform, you can view a centralized set of AppSec findings from all your scanning tools, correlate them to better prioritize issues, and create streamlined workflows to reduce remediation time. If you are considering an application security assessment, ask us for a demo to see how ArmorCode can help.