Application security is foundational to the software supply chain security ecosystem. But it takes a village. Derek Fisher explains in this fireside chat with Matt Rose.
Considering that 2022 was a record year for software supply chain attacks, organizations in the new year will be focusing their efforts around building a comprehensive software security program. However, with a variety of tools out there, some pertaining to application security and others specifically guarding the software supply chain, organizations should learn the best practices for software security in 2023.
Leaders and security practitioners can learn these best practices in this fireside chat, where Matt Rose, Field CISO at ReversingLabs, spoke with author Derek Fisher about his new book, the “Application Security Program Handbook.”
Fisher has been working in application security (app sec) for over a decade, and in his experiences, has witnessed numerous security successes and failures, making him an expert in best practices. His new book “is for everybody,” Fisher said in his conversation with Rose. It serves as a practical guide for software developers, architects or leaders looking to develop a comprehensive app sec approach in 2023.
Fisher told Rose that he wrote the book in an effort to offer some level of standardization and guidance around what it takes to build and execute a quality app sec program. He shared that most of his book is “not breaking new ground,” but rather is compiling the best sources in the space, making the book an authoritative guide.
His “Application Security Program Handbook” is currently the No. 1 New Release for the Computer Networking category on Amazon. As a fellow app sec expert, Rose wrote the foreword for Fisher's new book.
“This is a foundational book for application security principles, definitions, and concepts.”
Here are key takeaways from the fireside chat.
App sec’s role in securing the software supply chain
A main theme in Fisher’s new book is building an app sec team that best serves the needs of various perspectives within an organization. He believes this requires asking an essential question: “What are your goals?” App sec teams need to identify the priorities of the organization at large, looking to not only the software engineers, but also to those running the business in order to pinpoint these goals, Fisher said to Rose.
Fisher stressed the importance of collaboration between an organization’s app sec and software engineering teams.
“As engineering is expanding, you need to expand with it.”
The typical app sec team, comprised of pen testers, developers and threat modelers, has “to be able to work in parallel with the engineering team” in order to serve its role of verification.
App sec teams need to understand the processes, priorities, and problems that their fellow engineering teams experience, in order to best serve their organization. Fisher defined this as a “path-finding mission” for app sec teams to pinpoint an organization’s goals.
Noisy app sec tools
Having empathy for the work software engineers do will benefit app sec teams in the long run, giving them better insight on what to prioritize. Rose brought up the example of false positives in his discussion with Fisher, calling them “too loud” for engineers, but also citing their importance to security processes.
To find a happy-medium between noisy alerts and security-musts, Fisher says the focus here needs to be reoriented on “risk tolerance.” Because security tools are noisy, the question asked by app sec and engineering teams alike should always be, “is this exploitable?” Fisher believes that engineering teams need to have a higher tolerance for false positives in the early stages of development, but that app sec teams are also responsible for managing the noise.
“[Teams] must avoid losing confidence in security tools.”
Fisher warns that software engineering teams’ confidence in security tooling can be lost if it’s too noisy, inhibiting their ability to work.
Considering that there are several on-going challenges that these teams face, Fisher again stresses that having a “strong partnership” between engineering and app sec teams is what is most important. Collaboration and communication between these teams will mitigate challenges such as noisy false positives. Strong partnership will also help these teams balance security and realistic development processes, while pushing for the “acceptance of risk,” since “there’s always risk,” Rose said.
Software security “takes a village”
Fisher made it clear that app sec teams alone cannot accomplish comprehensive software security, but that app sec needs to “rely on engineers to take care of security as well.”
Rose also pointed out that while app sec tools such as Static and Dynamic Application Security Testing (SAST and DAST) assist in the verification process, these tools do miss software supply chain risks. In his latest glassboard episode, ReversingGlass: DNA of an App, Rose visually explained where the security gaps lie in app sec.
Fisher believes that this lack of coverage is why app sec needs operational security in addition to traditional tooling, so that risks like malware can be spotted in the software production process.
Fisher and Rose agreed that in addition to operational security, tools such as Software Bills of Materials (SBOMs) need to be standardized in a format that is comprehensive and accurate, giving greater insight into software supply chain risk.
The software supply chain is “vast,” says Fisher, and comprehensive software security must address the “security of the pipeline."
End-to-end coverage is key for true software security
Rose and Fisher’s conversation raised many important issues about the state of software supply chain security. App sec teams are just one piece of the puzzle in the grand scheme of software security, yet their role is essential to balancing security concerns with the speed at which DevOps operates. In 2023, it will become more important than ever for organizations to put the right pieces together to execute a comprehensive and effective software security program.
- Get up to speed with top software supply chain security posts
- Learn key trends, what's ahead: The State of Supply Chain Security 2022-23
- Get report: Software supply chain and the SOC: Why end-to-end security is key
- NVD Analysis 2022: Why you need to modernize your software security approach
- SBOM: What it is — and why it matters for software supply chain security
- Get a free SBOM and software supply chain risk report