Feeds

Too much code, too few application security specialists

Time to loosen up

Internet Security Threat Report 2014

How does this work? The basic idea is that in the planning sprint, the project team works with the security team and the customer to identify key assets and threat agents - like a very high-level threat model. Then the team captures the key risks in "security stakeholder stories" that detail the security interest at stake and the recommended security control. These stories are implemented and tested just like any other stories in agile projects. The outcome is a narrow assurance argument, limited only to the particular story being implemented.

Using test-driven development is excellent for security. By defining a suite of security test cases before development starts, the team is much more likely to include the right controls and use them properly. These tests may not be quite as extensive as a full penetration test by application security experts, but it's certainly a good start.

Over time, organizations will develop a library of threat models, security stakeholder stories, test cases, security controls, and other artifacts that make the process more efficient.

Waterfall dries up

We create several billion lines of new code every year. Its therefore critical that we do more to involve development teams in securing this code. There are simply are not enough application security specialists to handle the new code, never mind the trillions of lines of code already in existence.

Agile can be used to create a well-developed assurance argument complete with test cases proving that the protection is in place. At a minimum, the tight coupling with stakeholder security stories in the agile security approach will get developers more involved with security. Of course, security specialists will still be required to provide guidance and to verify applications for more complex risks.

The application security community has a lot to learn from the agile movement. In a short few years, they have achieved impressive penetration into the software development world. By contrast, only a very few organizations have adopted a "secure" software development methodology. We are in desperate need of new methods for creating security assurance, and agile may hold the key.

Jeff Williams is the founder and CEO of Aspect Security and the volunteer chair of the Open Web Application Security Project. His latest project is the Enterprise Security API, a free and open set of foundational security building blocks for developers.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
HTML5 vs native: Harry Coder and the mudblood mobile app princes
Developers just want their ideas to generate money
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.