{"id":93087,"date":"2021-03-11T09:00:32","date_gmt":"2021-03-11T17:00:32","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=93087"},"modified":"2023-05-15T23:10:28","modified_gmt":"2023-05-16T06:10:28","slug":"the-biggest-challenges-and-important-role-of-application-security","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/03\/11\/the-biggest-challenges-and-important-role-of-application-security\/","title":{"rendered":"The biggest challenges\u2014and important role\u2014of application security"},"content":{"rendered":"

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager\u00a0Natalia Godyla<\/a>\u00a0talks with\u00a0Tanya Janca, Founder of We Hack Purple Academy<\/a> and author of the best-selling book \u201cAlice and Bob Learn Application Security<\/a>.\u201d In this conversation, Tanya shares her insights on application security (AppSec), its role in the security organization, and challenges for AppSec professionals.<\/em><\/p>\n

Natalia: How do you define application security?<\/strong><\/p>\n

Tanya:<\/strong> Application security, or AppSec, is every activity you do to make sure your software is secure. Let’s say there\u2019s a Java developer that uses Spring Boot, and there’s a vulnerability. They hear a podcast about it and say, \u201cI think we should probably update it because it sounded really scary on the podcast.\u201d That contributes to application security.<\/p>\n

However, quite often when people talk about application security, they are talking about a formalized program at a workplace to make sure that the applications being released are reliably secure. We want to make sure every single application gets security attention, and that each gets the same security attention and support. We want to do the best we can to verify that it is at the posture that we have decided is our goal.\u00a0 Each organization sets that differently, which I talk about a lot in the book I released last year, but basically, application security professionals want to minimize the risk of the scary apps and then bring everything across the board up to a better security posture<\/a>. That requires talking to almost everyone in IT on a regular basis. I like to think of application security folks as techie social butterflies.<\/p>\n

Natalia: How does the security skills gap impact AppSec?<\/strong><\/p>\n

Tanya:<\/strong> I’m obviously biased because I run a training company, but I started it because people kept asking me to train them on how to do it because there is a gap. There is a gap, in general, in IT security with finding someone who has experience and understands best practices rather than just guessing how to train people.<\/p>\n

In application security, there tends to be an even wider gap. I started a podcast in August 2020 called Cyber Mentoring Monday<\/a>. I started it because I run #CyberMentoringMonday on Twitter, and the entire first year, every single person said, \u201cI want to be a penetration tester,\u201d but then I would ask them more questions because I am trying to find them a skilled professional mentor and lots of them didn\u2019t know what AppSec was. They didn\u2019t know what threat hunting<\/a> was. They didn\u2019t know what risk analysis was. They didn\u2019t know that forensics or incident response existed. We would talk more and it would turn out that there is a different security focus that they’re really interested in, but they had only ever heard of penetration testing.<\/p>\n

That was the same for me. I thought you had to be a penetration tester or a risk analyst, but there are a plethora of jobs. I started this podcast so people could figure out what types of jobs they wanted and because I really want to attract more people to our field. A big problem is there is no perfect way to enter AppSec.<\/p>\n

Natalia: What are the biggest challenges for those in AppSec?<\/strong><\/p>\n

Tanya:<\/strong> The first AppSec challenge is education, with some developers not understanding how to create secure code. It’s not that they don’t want to. It’s that they don\u2019t understand the risk. They don’t understand what they are supposed to do and a lot of them feel frustrated because they think, \u201cI want my app to be perfect and the best ever,\u201d and they know security is part of that, but they do not have the means to do it.<\/p>\n

The second challenge that I see at almost every single workplace is trying to get buy-in. When I did AppSec full time, at certain places I would spend 50 percent of every day just trying to be allowed to do my job. For instance, I want this new tool, and here are the reasons why, and people would respond by saying, \u201cThat’s expensive. Developer tools are cheaper.\u201d I would say, \u201cI\u2019m not a developer.\u201d I had to learn how to communicate with management in a way I never had to do as a developer. When I was a developer, I would just say, \u201cIt’s going to be two weeks.\u201d If they asked if I could do it faster, I would ask, \u201cDo you want to pay overtime?\u201d and then they would say either yes, and we would do overtime, or they would say no. There is no persuasion.<\/p>\n

With AppSec, I had to say, \u201cWe have 20 apps. I know you want to spend a zillion dollars on hiring four penetrating testers to test our one mission-critical, super fancy app. But can we hire one for that and could we take the money and look at these legacy things that are literally on fire?\u201d There is a lot of negotiation and persuasion that I had to learn to work in AppSec, which I was surprised about.<\/p>\n

Natalia: What is the role of AppSec when it comes to cloud security? <\/strong><\/p>\n

Tanya:<\/strong> I find that everything that’s not taken becomes the AppSec person\u2019s role because no one\u2019s doing it and you’re freaking out about it. If you do AppSec in a company where everything is on-prem, quite often there’s an operations team and they will handle all the infrastructure, so you don’t have to. When you move to the cloud, and especially if you’re working in an org that does DevOps, you must suddenly learn cloud technology, at least the basics.<\/p>\n

I’ve talked to many AppSec people and I’ve said, \u201cIf you’re moving to the cloud, I know that you think that you’re only in charge of the security of the software, but that’s not true anymore because of the shared responsibility model.\u201d The shared responsibility model means that even if the cloud provider handles patches and the physical security of the data center, if you choose bad configurations, you are responsible for those. So, the first thing you need to do is check out the shared responsibility model<\/a> to know what your side must do so you don’t miss super important stuff.<\/p>\n

When we move to the cloud, understanding shared responsibility is really important and then setting out a process so you get reliable results. Ideally, every phase of the software development lifecycle has one or more security-supporting activities. If you’re using the cloud, there is a decent chance that you’re doing DevOps, in which case the developers become DevOps people. You want to talk to them about securing both development and operations. If they’re just doing development and there is a separate team doing operations, there is a security team helping the operations team but you want to make sure that they receive security assistance. It\u2019s important for developers to understand the basics of cloud security so they don’t accidentally do something terrifying.<\/p>\n

With the cloud, one of my favorite things is automation. I used to work for Microsoft and am an Azure fan. Azure has Security Center<\/a>, which is the best and can automate a bunch of policies and check up on a lot of things for you. Learning how to use it to your advantage is important\u2014learning which parts you want to turn on, which parts you need to budget for in the future, and which parts you’d rather have a third-party tool for. Making those decisions is important for the cloud security<\/a> team and the AppSec person and then figuring out how to deploy safely and reliably into the cloud.<\/p>\n

Keep an eye out for the second part of the interview, as Tanya Janca shares best practices on <\/em>how to build an application security program and measure its success.<\/em><\/p>\n

Learn more<\/h2>\n