The conversation surrounding application security could go a thousand different directions, technology is a massive landscape after all. For the purposes of this discourse, our focus will be on three particular arms of appsec. Perhaps we could call them the Godfather, the Judge and the Good Samaritan.
While a collaboration of each branch (or arm) of appsec is essential to the success of developers, software engineers and their respective companies, each has its own independent role too…
In every enterprise, operation and industry there needs to be someone who sets the rules. NIST has long-been the “Godfather” of measurements and standards. This is clearly evident when it comes to security measures…
“…to protect individuals, businesses and the government…we need strong encryption. NIST provides trusted tools and guidance to increase the use of encryption.”
and…
“NIST developed a guide to help industry understand and implement cybersecurity approaches to protect them from these threats.”
Those are words straight from the NIST.gov site and that only covers a fraction of how far reaching and how important these metrics and standards are in accordance with appsec development. That is why companies and organizations having NIST certification have the Godfather’s stamp of approval. It implies instant trust, reliability and of course, security. Obeying the Godfather may also keep applications from being condemned by…
Does your program stand up to scrutiny? Is your software package going to endure cross-examination? The Judge will evaluate appsec as a part of that process – thoroughly. CWE acts, “…as a standard measuring stick for software security tools…” and determines who is guilty of faulty and unsafe appsec practices.
Every piece of software and every application must be judged, for the integrity of the entire appsec community. CWE holds that court and is even willing to help the accused mend their errant ways! Correcting those errors is exactly the type role the Good Samaritan might play.
OWASP is a community of really smart, experienced like-minded people who are willing to get their hands dirty. A great man once said this…
“The achievements of an organization are the results of the combined effort of each individual.”
– Vince Lombardi
OWASP is that organization, working with companies and organizations to achieve the best in appsec development. OWASP provides valuable data through documentation, tools to improve the coding and testing process and methodologies to enable the best application security results.
What role these aspects of appsec play will be determined by what stage in the process or where in the life cycle an application might be and where those vulnerabilities might lie.
While OWASP, NIST and CWE stand as pillars of defense in the appsec universe, when and where they are most effective and applicable will be dictated by when they are needed. Through the design and coding process, for example, CWE will act as a litmus test against known code fallacies. NIST, the Godfather, will be in the background watching while OWASP will be suggesting development methodologies for structure.
On the other end of the spectrum, during implementation and maintenance, the role of each player takes on a different significance. The Godfather becomes sought after, his approval at this stage can make or break you. CWE will now step out of the spotlight although the Judge will stay near enough for reference when needed. Once more, the Good Samaritan is hard at work offering tools and resources to assist in making implementation as safe as possible.
From appsec coding, designing, testing, updating and everything else involved, there are many areas of the process that demand security. Having the right security tools or being able to work within a cohesive and trustworthy software analytics platform is a good start.
Having these basics safeguards in place permit a more fluent and effective development process without sacrificing the safety required for appsec. The threats are too many and the job is too great for one developer, one team or one company alone.
Trust your skills and bet on your innovative spirit. Test the boundaries of your imagination and push the limits of development but never forget appsec. Lean on the Judge, the Godfather and the Good Samaritan to guide you, direct you and work right beside you in the trenches.
These three safety pillars are proven and trusted. The NIST, to highlight the oldest member of the security council, was founded in 1901. Part of the NIST mission statement defines their goal as, “…advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”
While the OWASP and CWE organizations aren’t quite as aged as the NIST, they have both respectively been used by developers to enhance and make appsec better. Application security is a team effort and the tools and resources provided by these resources should be a part of that team.
There are more than a few application security practices and more than one way to apply those tools and methods. These three security standards are effective when used together and can be useful in every phase of appsec from start to finish.
Sometimes employing security measures, techniques and practices can be cumbersome or confusing, reducing the effectiveness and even willingness to be as thorough throughout the entire life cycle. OWASP, NIST and CWE have made efforts to be applicable and user-friendly.
With the right team and right resources and the right tools, application security has never been easier.