Three AppSec questions you must ask in consolidation

This post first appeared on Federal News Network. Read the original article.

In an era of security teams and developers wanting to squeeze the value out of every dollar, we have noticed many companies switching to consolidated application security (AppSec) approaches. Beyond defining what consolidation in AppSec truly means, the discussion of panic buying, DevSecTrust, and artificial intelligence/generative AI (GenAI), must all be taken into account when asking the three key questions that go into consolidating your AppSec approach.

Consolidation for dummies and the space for AI

 In its most simple form, consolidation is the concept of taking many tools and boiling them down into one platform. For developers, consolidating the software development lifecycle (SDLC) is a welcomed enhancement, but it must be ensured that every step of the lifecycle is covered.

For many, this is now where AI/GenAI comes in. To play the role of the myth-buster, AI and GenAI are not going to substitute the developer’s job. Rather, AI is a supporting tool. As incredible as AI is, it will not be the silver bullet that solves everything. Developers fearing for their jobs because of AI is a real concern, but it must be stated that individuals will not lose their livelihoods because of it. They will lose their jobs because they do not know how to embrace AI, or they refuse to do so.

Consider this. If you are building a wooden house, you need to learn how to use the appropriate tools. If you know how to only use a hammer, you can build the house but it won’t be nearly as efficient as someone who knows how to use a screwdriver in addition to the hammer in construction. AI offers developers an opportunity to diversify their skillset in creating applications, thus making themselves irreplaceable.

Artificial intelligence can also give a second opinion for the best course of action in terms of patching vulnerabilities, thus ensuring organizations remain compliant with various regulations, including the United States Securities and Exchange Commission rules on cyber risk management. So now that we know a little more about consolidation, how do we get closer to it?

Three questions AppSec teams need to ask in consolidation

Much has been made of breach reporting requirements set forth by government entities, most recently from the SEC, requiring public companies to report material cybersecurity incidents within four business days, leaving questions for organizations as they toe the line between panic buying and consolidation.

To effectively build a strategy around application security, AppSec teams must ask three key questions:

  • Does my AppSec approach provide end-to-end coverage? AppSec teams must ensure that answers are provided to all questions at every stage of the SDLC. From design to developing, building, testing, etc. up until runtime, you must confirm that all questions are addressed to ensure your application is as secure as possible. The concept of shifting security left to address it earlier in the cycle is not enough. AppSec teams must shift security everywhere to certify there are constant checks on security throughout application development.
  • Does my AppSec approach possess integration capabilities? Simply put, AppSec needs to make life easier for developers. Each time a developer generates a line of code, there must be real-time feedback based on the security of that code, as well as best practices for consideration when using it. This gives the developer the information they need when they need it. As more code is entered, more scans are run. AppSec possessing integration capabilities also makes life easier on the customer, giving them the liberty to bake in multiple solutions.
  • Does my AppSec approach provide appropriate visibility and analysis? Similar to the point of end-to-end coverage, allowing developers the luxury to access full transparency into the AppSec environment coupled with analysis of where the security of the application stands allows teams to remediate vulnerabilities before they become real issues. If you can solve a vulnerability, even in the testing phase, you save six times of what that vulnerability would have cost in the maintenance phase, according to data from the System Sciences Institute at IBM.

From the perspective of the customer, it is easy to lose the vision of what the organization needs to do versus what they want to do. It happens often that organizations will purchase a product on first instinct without seeing the full picture. Building tools on top of tools to plug gaps is an inefficient use of resources. Consider questioning your tooling with the same three questions above to avoid finding yourself asking the million dollar question: Is ‘good enough’ really good enough?

Building a future of DevSecTrust in a new toolset era

 It is no secret that in the past developers and security teams were two different entities. A combative relationship at times, the two teams often found themselves pulling on different sides of the proverbial rope, with one wanting to efficiently develop applications and the other wanting to secure the applications, which obviously takes time out of development.

While security costs money, it saves a lot more. As we continue to work toward an increased culture of security consolidation, the ease of work for the developer must be taken into account. Consider working backwards from your business goals, baking in security while making the developer’s life easier in the short and long term. With AppSec and developers working in harmony, all teams will be able to work efficiently, propelling the business that much closer to its goals.

Sagy Kratu is senior product marketing manager at Checkmarx.

The post Three AppSec questions you must ask in consolidation first appeared on Federal News Network.

Leave a Reply

Your email address will not be published. Required fields are marked *