For the Secure by Design initiative of the Cybersecurity and Infrastructure Security Agency (CISA) to really change the security landscape, the scope of traditional application security (AppSec) will need to expand considerably beyond shifting code testing left (earlier in the software development lifecycle). What is required is a more holistic approach that considers the security of software as it is deployed within products, within interconnected networks, and within broader digital ecosystems.
Many security visionaries believe that today's AppSec confines are too limited. They argue that Secure by Design principles and the systematic securing of the software supply chain need to be broadened to include product security that applies to everything from enterprise software platforms to IoT-enabled refrigerators.
Here's what you need to know about how expanding your AppSec approach to ProdSec can help achieve reaching Secure by Design's goals — and bolster your organization's overall software security strategy.
[ Special Report: How to Manage Commercial & Third-Party Software Risk ]
AppSec’s roots in vulnerabilities keep it too limited
Most of the AppSec world is stuck, still relying on the programs — SAST, DAST, RASP — that were born in an effort to relieve overwhelmed vulnerability management teams and get ahead of the crushing volume of flaws found in production software. They shifted testing earlier in the SDLC and prioritized risks discovered there to limit the number of critical flaws pushed live. It was an improvement, but simply testing for flaws in the code is a poor substitute for programmatically architecting secure software out of the gate.
Sam Rehman, CISO of the software development firm EPAM Systems, said that AppSec is often perceived too narrowly, as a process for adding security checks to the development of software, to the deployment of software, or to software during runtime. “This limited perspective fails to encompass the broader context that's essential for an application's effectiveness," Rehman said.
He advocates product security that brings Secure by Design principles to the design phase of a product or service. “This involvement extends to defining robust product policies and controls that are intricately woven into the product's architecture and functionality,” he said. It also includes appropriate implementation of controls and configurations, measures for SecOps teams to manage incidents involving software-based products, and robust information and signals around the software once it’s deployed.
“While these components are critical, they don't constitute the entire solution unless viewed within the context of ultimate engagement — from users to products."
—Sam Rehman
Jamie Boote, associate principal security consultant at Synopsys Software Integrity Group, said many AppSec veterans have seen the need for such a comprehensive approach to software security and implemented programs that focus on what happens between software design and release, expanding to support DevOps, cloud and container infrastructures, and other product areas that impact software development.
Expanding AppSec to ProdSec: Organizational mentality is key
This idea of moving "beyond AppSec" was recently broached in an article of that name on the Securely Built Substack by software security guru Derek Fisher, who called for a new label to accommodate the broader scope: ProdSec.
“ProdSec encompasses more than just securing the application. While an application refers to a specific software program or tool, a product encompasses a more comprehensive software solution, often comprising of multiple applications and associated components designed to meet broader user needs or organizational requirements."
—Derek Fisher
Nick Sikorski, head of Deloitte’s product security practice, said that while product security has not been viewed as a standalone function that calls for senior leadership and investment, things are changing. Today, he said, "the reporting structure and seniority of the product security function is evolving with an increased push to senior-level positions that often sit within corporate cybersecurity or R&D teams."
He said organizations are finding that a strong emphasis on product security is helping them stay agile and flexible in delivering products while driving deeper changes to the security posture of the software that underlies them.
“By improving teaming across product security, R&D, quality and other functions within an organization, companies can build a culture of security and help keep products safe, secure, and reliable. They take a security-by-design approach to new product development while also continuously working to improve product security and related business processes.”
—Nick Sikorski
Product security will be the key to considering security at every phase of product development, not just as code is being written, said Chris Roeckl, chief product officer of Appdome.
“By actively participating in each stage of the development process, the product security team helps embed security considerations into the software's design, architecture, coding, testing and release to production. This proactive approach is a virtuous cycle and minimizes the risk of vulnerabilities and ensures that security is an integral aspect of the final product.”
—Chris Roeckl
To do it right takes “orchestral coordination” across a web of different third parties, off-the-shelf software, and open-source components, said Sikorski. And even after products go to market, the product security function keeps on ticking to cover post-market risk management, including security monitoring and incident-handling capabilities, he said.
Will AppSec go away, then?
So if ProdSec is the function that enables Secure by Design, what happens to AppSec? Many believe that it should remain — and become a subset of the broader ProdSec initiative.
David Lindner, CISO for Contrast Security, said AppSec concentrates on securing the code and functionality of a single software application, but “product security takes a holistic view of the entire technology product, considering the broader environment and potential attack vectors that may emerge from the communications between various components.”
EPAM Systems' Rehman said no one should think that ProdSec replaces AppSec. "Rather, it complements it, potentially incorporating it as [an underlying] layer within the security framework,” he said.
Secure by Design demands better tooling
Saša Zdjelar, Chief Trust Officer at ReversingLabs, said recently that for Secure by Design to deliver on it's promise, organizations need more holistic tools that work for producers and consumers of software. Zdjelar explains what he means by holistic AST by describing what crash tests did for ensuring the safety of cars.
"You crash-test it, and then you provide the insights into how it did from various angles at various speeds, airbags, crumple zones, all those sorts of things that we have agreed are the characteristics of a secure vehicle or a safe vehicle. But you wouldn't crash-test a radio volume knob and a windows up-down button and a seatbelt separately and a rear car seat separately and a visor separately. You crash-test the vehicle when it's been fully assembled so that you know how the system as a whole operates or will perform in that type of environment."
—Saša Zdjelar
One of the big problems with the shift-left movement of recent years, Zdjelar said, is that it focuses too intently on component views to the detriment of understanding the context of how it all operates in the completed software package. When Secure by Design is fully realized, the benefit will be early analysis while also doing integrity checks that ensure the crash-worthiness of software before it is shipped.
