Application security manager: developer or security manager?
Key points to remember
- Keep security in mind at all stages of the software development lifecycle.
- The role of the Application Security Manager (ASM) should be the driving force behind the overall code review process.
- ASM must understand what a supervised project is.
- An ASM should be familiar with development processes, information security principles and possess strong technical skills.
- To get a good ASM, you can either use the experts of a service provider or develop an in-house professional among developers or security specialists.
The majority of successful attacks against organizations exploit software vulnerabilities and backdoors. Fortunately, software vulnerability scanners are no longer seen as exotic by businesses. Instead, they have become a central part of the security infrastructure. With a small scope of development work, you can operate a scanner manually. However, a larger amount of code requires automated analysis. But who should manage it? Who should decide how often to check versions, check for vulnerabilities, reject a version, and handle the remediation of code vulnerabilities, as well as answer any other related questions? This is where an Application Security Manager (ASM) takes over.
But how can you find such a unique person or promote them internally? This article describes the requirements of an ASM based on enterprise software development practices.
What is an Application Security Manager?
Sooner or later, organizations realize the need to hire such a person, especially when they lack in-house specialists who can fill the role. What about the developers? Although experienced in software development per se, they can hardly translate detected vulnerabilities into information security or business risks. Why not take a security guard? Diving deep into the smallest details of development is a challenge for them. However, checking for vulnerabilities requires an understanding of code in different languages and, therefore, some serious development experience.
Let’s see what tasks arise during the secure development process that an ASM has to solve.
You might think that an ASM is just checking code for security compliance, but security issues arise at different stages of the system lifecycle, from design to release. There are different models for building a secure development lifecycle (Software Security Touchpoints, SDLC, etc.) and different adoption methods (waterfall, agile), depending on the approach used. However, they all agree on one key point: you need to keep security in mind at all stages of the system lifecycle.
Obviously, with a relatively large project, it is unlikely that one person would be able to fill all aspects of such a role. It is very rare to find a single person who can develop application security requirements, examine application architecture, verify analyst work, and assess code security. Other challenges include ensuring that the application has undergone all required security tests and that the system has been deployed securely and correctly configured.
In addition, these activities are often performed by different teams and business units. For everything to work, ASM must become the driving force behind the whole process. Such a manager must ensure compliance with secure development practices either by himself or by delegating certain tasks to restricted specialists. However, our experience shows that an ASM cannot simply assign tasks to the relevant personnel and then wait for the results.
What should an ASM know and do?
First and foremost, an ASM must understand what a supervised project is all about. This is especially important for agile development, where, unlike the waterfall model, you don’t have two months to do a pre-release review. The job of an ASM is to ensure that the requirements defined at the design stage are correctly interpreted by the team, correctly adopted in the architecture, are generally achievable and will not cause serious technical problems in the future. . Typically, the ASM is the primary person who reads, interprets, and evaluates automated reports and third-party audits. ASM is also responsible for filtering irrelevant and incorrect results, assessing risks, and participating in exception management and the development of mitigation measures.
Here’s a real-life example: A source code analysis or evaluation revealed an insecure hash function (MD5). Company policy prohibits the use of MD5, and the vendor agrees to replace it with a more secure feature within three months at a high cost. However, in this case, the intolerance of the hash function to collisions did not affect the security of the system at all, as the function was not used to protect integrity. Here, a formal approach and a function replacement slowed down production and cost a fortune, without serious justification or security gain.
Second, an ASM must be familiar with various areas, including development processes and information security principles. Technical skills are also important because it is very difficult to assess the results provided by small specialists and automated tools if you cannot read the code and do not understand how the vulnerabilities can be exploited. When a code analysis or penetration test reveals a critical vulnerability, it is quite common for developers (who are also committed to creating a secure system) not to accept the results and claim that auditors do not ‘failed to exploit the vulnerability. How do you know who is here? Indeed, resolving such a dispute impartially requires technical skills. If the secure software development process is outsourced and / or provided as a service, how will someone verify that the “technical” practices are correct, and who will it be?
Where to find such a specialist?
Anyone who has researched the market has likely faced an acute shortage of application security specialists. Typically, the scenario looks like this: Internal customers define requirements for the candidate and pass them on to HR. If the requirements are strict, a free search returns no results, as seasoned scholars very rarely publish their CVs in the public domain. When looking for a new job, they can easily find opportunities through existing contacts. So what to do?
You can try to hire a professional from other companies, but this is not always acceptable for various reasons. More and more often, ASM outstaffing competitions are held in the market, allowing you to successfully solve the problem by bringing in the experts of a service provider.
Yet there is another option. You can try to develop your own ASM internally from:
- security-conscious developers or
- security connoisseurs who know software development and security and want to learn more about it
Both types of candidates will need to master the areas where they lack knowledge. Candidates with a developer background will have a better understanding of the dominant culture and processes of the teams they have worked on. However, it may take quite a while for them to master the knowledge areas related to information security. Experience shows that people who are interested in information security and already have some level of application security knowledge can be found among developers, testers, analysts and architects. Hence, they can be ideal candidates for the ASM position.
On the other hand, security professionals will have to adapt by changing their traditional approaches and embracing the culture of the development team. However, if a security specialist has coding experience and is familiar with development processes, they should be able to join the team quickly and smoothly.
Secure development is first and foremost a business process requiring consistent performance from all team members. A qualified ASM is a key driver in this process, along with an inspirer, team leader, interpreter and supervisor – essentially a jack of all trades. While it is not easy to find or develop such a specialist, the business benefits of finding the ideal candidate can be substantial.
About the Author
Daniel Chernov, DerScanner CTO, MSIS, CISSP, CISA, has over 15 years of experience in cybersecurity. From 2005 to 2007 he worked as an Information Security Analyst at Informzaschita, and until 2015 he held various positions at Jet Infosystems Systems Integrator. In 2015, Daniil Chernov took the position of CTO of the DerScanner project, SAST binary solution. He regularly organizes appsec webinars and writes articles on secure development for the trade press.