Enterprises need to create a more strategic alliance between their application security and cybersecurity teams if they are going to better protect themselves against cyberthreats.
Organizations can no longer wait for attacks to happen and then respond, according to Sean Wright, principal application security SME at Immersive Labs, creators of an enterprise platform that measures the cyber capabilities of their workforce. Instead, they need to embrace the shift-left mantra that calls for more security-related tasks – with testing being a big one – being performed earlier in the software development process, essentially weeding out potential flaws and vulnerabilities before they’re compromised by attackers.
The end result should be to reduce the risk to the organization, Wright told The Register.
“That’s what security is all about, trying to reduce the risk to the organization,” he said. “If the teams are working together, you help reduce the risk, you help get this thing going across both teams and hopefully throughout the organization as it blossoms out. That ultimately leads to a reduction in risk for the organization. That should be the ultimate goal.”
Immersive Labs today rolled out its initial Cyber Workforce Benchmark report analyzing human cyber capabilities. The report analyzed data from more than 500,000 exercises and simulations run by 2,100 organizations over 18 months. With the exception of the high-profile Log4j vulnerability, the report found it took an average of 96 days to develop the skills and knowledge to defend against breaking threats.
In addition, cybersecurity teams prioritize the development of knowledge and skills against the highest-profile threat groups and ransomware causes the most uncertainty for crisis response teams.
One area of focus was the application security team, a key component in the expanding DevOps field. The study found that 78 percent of all application security skills are developed faster than expected completion times by appsec teams, as opposed to 11 percent of cybersecurity labs. The appsec lab work was completed an average 2.5 minutes under the expected completion time, while for the cybersecurity lab it was 17 minutes over.
“That 78 percent is indicative of probably being aligned more towards things that they work with day in, day out,” Wright said. “Developers are working with code day in, day out, whereas maybe some of these cybersecurity people are working on more niche things that they may need to spend a bit more time on or that they are learning and adapting.”
Appsec team members tend to be developers and quality assurance (QA) pros creating internal applications used within the organization or exposed publicly or privately to customers, while cybersecurity teams’ jobs include penetration testing and responding to incidents, he said. The applications themselves tend to hold a lot of data and are targets for attackers via such well-known threats as SQL injections and cross-site scripting (XSS).
In a shift-left environment, organizations want to drive the primary security as early in the software development process as possible.
“It’s going to be a lot easier to fix and adapt and change things there than once it’s passes production,” Wright said. “It’s also less risky because if you have this application with all these holes in production vs. modern production, there’s nothing for that attacker to attack. It’s that whole ‘prevention is better than the cure’ type thing.”
It illustrates why it’s important for developers to play a larger role in security. The result is more secure software with fewer flaws that have to be addressed after they’ve been exposed. Immersive Labs spends time explaining to developers why they should care about threats and developing applications that are more resistant to attacks.
“If they understand that impact, they then are now on the same wavelength as a security team and they can start communicating together on the same kind of time and thought processes,” Wright said.
“In the past, there was always the security teams pushing this to the dev teams and going, ‘You must fix this critical vulnerability.’ Now, trying to get the devs to understand that suddenly makes it more real because developers don’t want to develop insecure code. They don’t want to put the company at risk.”
Power in a union
In the end, both the appsec and cybersecurity teams work for the same organization and have the same objectives, so it makes sense for them to work together, he said.
That was echoed in the Immersive Labs report by Phil Venables, vice president at Google and CISO of Google Cloud, who described what’s important in the current cybersecurity climate: it is not plans but capabilities of a company that is adaptable to rapid changes.
“Against modern all-encompassing threats, this means bringing the abilities of the entire workforce to bear,” Venable wrote. “With risk spreading across the organization, so should mitigation. In this way, cybersecurity teams play a more strategic role – as well as being applied technically – but responsibility also is distributed across everything from the SDLC [software development lifecycle] to executive teams.”
That said, Wright is unsure how quickly enterprises are moving to create tighter alignments between their application security and cybersecurity teams. A closer working relationship “could very well impact or make a difference, and it will largely depend on the organization. Some organizations are still very much a mountain of silos. They want to see a security team and an engineering team, but it certainly could help remove some of those silos.” ®