Application Security In Depth: Understanding The Three Layers Of AppSec Testing
Overview
Today’s approaches to defense in depth for application security are siloed and lack context, thus results have fallen short. But a layered approach is the key to building a world-class AppSec program that spans the entire Software Development Lifecycle (SDLC). So, how does our approach need to change?
In this webinar, you’ll hear from three experts at each of the core security touchpoints within the Software Development Life Cycle (SDLC): at the code level, pre-deployment, and post-deployment.
Speakers include Nabil Hannan, managing director at NetSPI, Moshe Zioni, VP of strategy research at Apiiro, and Samir Sherif, CISO at Imperva.
During this webinar, speakers will discuss:
- Key timeframes to implement security testing – and why
- How to incorporate risk context across the SDLC
- Best practices for application penetration testing and secure code review
- Proper implementation of application security tools for continuous monitoring
- Plus, more tips to achieve a layered application security strategy
Key highlights:
- 1:21 – The state of AppSec testing
- 3:55 – Contextual AppSec testing
- 14:45 – Best practices for application pentesting and secure code review
- 30:40 – The implementation journey
- 42:00 – Q&A
The State of AppSec Testing
To get started, it’s important to have an understanding of the current state of today’s AppSec programs and application security in general.
Key challenges with application security include:
- Siloed: Application security programs are siloed in most organizations. AppSec-related activities often happen without being in sync with the rest of the organization, but effective application security requires collaboration across the board.
- Lacks context: A lot of testing happens in different phases of the software development lifecycle (SDLC), but oftentimes it tends to lack context. Testing may be driven by customer needs or regulatory and compliance requirements, but often there’s not enough testing being done based on an organization’s software context and understanding when and why you need to test systems, other than specific requirements from external pressures.
- Results fall short: When application security testing is siloed, lacks context, and doesn’t have proper strategy, the results are more likely to fall short.
A layered testing approach is the key to building a world-class AppSec testing program that spans the entire SDLC, including code level, pre-deployment, and post-deployment.
Contextual AppSec Testing
For AppSec testing to be effective, context from across the SDLC is required to understand risk.
Some of the benefits of context in each stage across the SDLC include:
- Design
- Prioritize and trigger threat model sessions
- Trigger contextual compliance reviews
- Branch
- Trigger contextual security code reviews and enrich data from SAST/SCA/GWs
- Trigger contextual compliance reviews
- Automate manual risk questionnaires
- Automate code governance
- Repository
- Gain complete visibility into AppSec infrastructure and CSS
- Actionable remediation work plan
- Trigger incremental plan testing
- Reduce SAST & SCA FP and prioritize results
- Detect compromised results
- CI/CD
- Prevent build-time code injection attacks (SolarWinds)
Best Practices for Application Pentesting and Secure Code Review
Understanding best practices for application pentesting and secure code review can help ensure your approach is as effective as possible.
Here are some ways optimize your application pentesting:
1. Risk-based pentesting is key
- Understand how your business makes money
- Prioritize remediation of vulnerabilities that pose the greatest risk to the organization
- Loop in finance and risk leadership
- Contextual pentesting
2. Strategy is the future
- Informed pentesting is more valuable, as hackers aren’t bound by time
- Threat modeling and secure design reviews
- Pair point-in-time testing with always-on monitoring
- Bug bounty vs. pentesting
3. Enable manual testing
- Enable your testing team to find vulnerabilities that tools miss
- According to NetSPI testing data, 63% of critical vulnerabilities are found through manual testing
- External network pentesting finds 10x more critical vulnerabilities than a single network vulnerability scanning tool
4. Take a holistic approach
- Validation of security controls
- Understanding how everything works together
Another important aspect is building an effective secure code review program. Some step to do this include:
- Establish a security culture and listen to your developers
- Create simple and effective methodologies and processes
- Plan application onboarding and scan frequency
- Understand that remediation matters most
- Measure and improve over time
As you formalize your company’s AppSec program, following a maturity checklist can help set the program up for success.
Make sure to include the following steps your application security program maturity checklist:
- Formalize your roadmap
- Governance in the SDLC
- Establish metrics that matter
- Be an AppSec ambassador
The Journey to Implement AppSec
When it comes to how an organization looks at and approaches application security in general, breadth is an important framework to redefine and conceptualize application security.
This framework includes:
- Shift-left to dev training and code analysis
- Heavy focus on in-app and perimeter protections
- Shift-right to advanced, proactive, and managed services
Left-to-right application security features the following solutions:
- Awareness and education
- Learning, training, threat modeling
- Code analysis
- SAST, DAST, IAST, SCA, code risk
- In-app protection
- RASP, CWPP (EW)
- Perimeter protection
- WAAP, CWPP (NS), DDoS, Zero Trust
- Advanced solutions
- Bot, insights, fraud, 3rd party, TI, CDR, DLP
- Proactive solutions
- VM, CSPM, CIEM, BAS, EASM, MDR
Partner with NetSPI to Improve Application Security
NetSPI’s Application Security as a Service helps organizations manage multiple areas of their application security program.
Our AppSec as a service capabilities combine the power of technology through our vulnerability management and orchestration platform with our leading cybersecurity consulting services featuring expert human pentesters to ensure you can build and manage a world-class application security program.
Learn more about our AppSec as a service offerings and partner with NetSPI to drive your application security program forward to meet your security objectives. Schedule a demo today.