AppSec Testing: An Often Overlooked Component of DevOps

Posted on April 25, 2017 by Tony Kontzer

No matter how much companies learn about the vulnerability of their applications, or how many people are urging them to address those vulnerabilities during development, they still don't seem get the message.

Despite the fact that just about every DevOps and AppSec vendor is waxing poetic about the importance of AppSec testing, and independent studies are predicting huge growth for the market, many companies continue to sacrifice this crucial undertaking for the sake of speed-to-market.

As a result of their hastiness, they may not establish clear access controls, their authentication may be weak, or perhaps they're slipshod about session management. Such weaknesses are even more likely when the topic is mobile and Internet-of-Things apps, which tend to be rolled out on a more accelerated schedule than Web and desktop apps.

Along those lines, a recent study from the Ponemon Institute found that a staggering 69 percent of IT and AppSec professionals cited time pressures on their development teams as the reason mobile applications contain vulnerable code, and that figure grows to 75 percent for IoT apps.

Meanwhile, in an earlier survey, AppSec vendor Prevoty found that 43 percent of developers say they release applications with known vulnerabilities at least 80 percent of the time.

Such findings represent a confounding disconnect from the abundant messaging from vendors about the importance of incorporating strong AppSec testing into a company's DevOps practices.

In a recent blog post, Pivot Point Security's Bhaumik Shah suggested that "the lack of adequate DevOps security is a major problem because application security breaches are known to be even more frequent, dangerous and severe than network security breaches." Application consultancy IT Labs posited that insecure software is "perhaps one of the most crucial technical problems of our time. And Veracode two years ago devoted a blog post to the "5 Reasons Why the Importance of Application Security Cannot Be Overstated" — and that was before IoT apps were on most companies' radars.

With this combination of drum-banging and clear marketplace need as a backdrop, MarketsandMarkets last year predicted that the market for AppSec testing products and services will grow from $2.24 billion in 2016 to $6.77 billion by 2021.

For those who've gotten the message, the Open Web Application Security Project (OWASP), a community dedicated to the development of apps that can be trusted, published a cheat sheet with a list of more than 100 suggested tasks that should be performed when testing Web application security.

Meanwhile, Vijay Shinde, founder of the well-read blog softwaretestinghelp.com (which boasts more than 30,000 subscribers) recently published a post designed to be a sort of refresher course for testing Web and desktop apps, going so far as to offer up his own simple definition of security: "Security means that authorized access is granted to protected data and unauthorized access is restricted."

Shinde also provided a few examples of application security flaws, including a student management system that allows admissions staff to edit exam data, an ERP system that lets a data entry operator generate reports, or a piece of custom software that retrieves actual user passwords in response to an SQL query.

Adding complexity to the problem is the fact that even thorough AppSec testing is not guarantee that software vulnerabilities won't make into application releases. In a recent article published by IDG's CSO Online, George Hulme makes a compelling case for doubling down by doing application penetration testing as well.

"What goes (or should go) into developing application security is well known," writes Hulme. "Developers should have their code vetted in their development environment. Their code should go through a series of quality and security tests in the development pipeline. Applications should be vetted again right after deployment. And, after all of that, it’s very likely that more vulnerabilities exist in the application that have yet to be uncovered.

"Finding those stubborn flaws is where periodic application penetration tests come in; this is when an application is poked and prodded to see if its security controls work as intended and if it’s vulnerable to attack."

That said, if your organization is one that hasn't committed to consistent AppSec testing yet, then you may want to address that before moving onto penetration testing. Whatever situation your company is in, don't let the pressure to speed time-to-market cause you to release applications prematurely; the company's brand and reputation may be at stake.

Contributors

Tony Kontzer

, RSAC

application security DevSecOps

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.