Table of Contents
Foreword ix
Preface xi
Acknowledgments xii
About this book xiv
About the author xvii
About the cover illustration xviii
Part 1 Defining Application Security 1
1 Why do we need application security? 3
1.1 The role of an application security program 5
Software from concept to production 6
Where does application security fit? 7
1.2 The current state of application security 8
1.3 Why building security in is challenging 9
Trying to protect at runtime 10
Getting output from tools is not enough 11
Sifting signal from noise in security tools 11
1.4 Shifting right vs. shifting left in development 12
Shifting right in the development life cycle 14
Shifting right fails 15
Shifting left in the development life cycle 16
Shifting left fails 19
1.5 Is going left better than going right? 20
1.6 Application security needs you! 22
Democratizing application security 23
Users will be users 24
1.7 Examples of failing to secure the software 25
Solar Winds 25
Accellion 26
Fake software 27
2 Defining the problem 29
2.1 The CIA triad 30
2.2 Confidentiality 30
Data protection policy 31
Data at rest 32
Applying encryption 34
Data in transit 36
Encryption prior to transmission 39
Data in use 39
Not so confidential 40
Do I even need this? 41
2.3 Availability 41
DoS and DDoS 42
Accidental outage 43
The role of ransomware 43
Casino betting offline 44
Health organizations are still fair game 44
Building in resiliency 45
2.4 Integrity 46
Integrity starts with access 47
The role of version control 48
Data validation 49
Data replication 49
Data checks 50
2.5 Authentication and authorization 51
Authentication 51
Authorization 51
2.6 Adversaries 52
Script kiddies 52
Insider 53
Cybercriminal 54
Hacktivist and terrorist 54
Advanced persistent threat 55
Why do we care? 55
2.7 Measuring risk 56
Remediate, mitigate, accept 57
Identify the risk 58
Estimating likelihood 59
Estimating impact 60
Risk severity 60
Risk example 61
Other methodologies 62
3 Components of application security 64
3.1 Threat modeling 65
Basic threat modeling terminology 66
Manual threat modeling 68
Starting the manual process 69
Threat modeling with linking bank accounts 70
What to do with the found threats 72
Threat modeling using a tool 73
3.2 Security analysis tools 75
Static application security testing 77
Tools in the development environment 78
Dynamic application security testing 80
Software composition analysis 82
3.3 Penetration testing 84
3.4 Run-time protection tools 86
3.5 Vulnerability collection and prioritization 88
Integrating with defect tracking 88
Prioritizing vulnerabilities 89
Closing vulnerabilities 90
3.6 Bug bounty and vulnerability disclosure program 90
Vulnerability disclosure program 91
Bug bounty program 91
Third-party help with vulnerabilities 92
3.7 Putting it together 93
Part 2 Developing the application security program 97
4 Releasing secure code 99
4.1 Security in DevOps 100
DevOps pipelines 101
4.2 DevOps isn't the only game in town 102
Waterfall 102
Agile 104
Lean 106
DevOps supports security better 108
DevSecOps example 110
4.3 Application security tooling in the pipeline 112
Threat modeling in DevSecOps 112
SAST in DevSecOps 114
DAST and IAST in DevSecOps 115
SCA in DevSecOps 119
Run-time protection in DevSecOps 120
Security orchestration 122
Security education 124
4.4 Feedback loop 125
5 Security belongs to everyone 127
5.1 Security is everyone's problem 128
Structure of an application security team 129
Just hire more application security people 130
How to close the gap 132
5.2 Security education 132
Raising the security IQ 133
Microlearning and just-in-time training 135
It's more than just training 137
5.3 Standards, requirements, and reference architecture 138
Creating and driving standards 139
Creating reference architecture 142
Bringing requirements into the organization 144
5.4 Maturity models 145
OWASP SAMM 146
Building Security in Maturity Model 149
Addressing your security immaturity 152
5.5 Decentralized application security 152
Security champions program 153
Leveraging the decentralized model 155
6 Application security as a service 158
6.1 Managing risk during development 159
Defining and reducing risk 160
Define the application risk 160
Release-by-risk 163
6.2 Enablement instead of gates 168
Automate the release-by-risk 169
Removing the barriers by adding guardrails 170
6.3 Bridging engineering and security through services 172
The application security-as-a-service ecosystem 173
Services requested through tickets 176
Ambient application security 179
Part 3 Deliver and measure 183
7 Building a roadmap 185
7.1 Getting the current security posture 186
Going on tour 186
What tools exist? 188
What vulnerabilities do you have? 191
What additional information is available? 193
7.2 Understanding the organization's security goals 195
The organization's goals 195
The application security goals 196
Aligning the business and security goals 196
7.3 Identifying the gaps 197
Finding the immediate gaps 198
Input into the gap analysis 199
What to do with the gap analysis 201
7.4 Sample application security roadmap 202
Secure engineering education 203
Educating the application security team 205
Application security tools roadmap 207
Aligning engineering and security roadmaps 209
Building for the future 210
8 Measuring success 215
8.1 What to measure 216
Measuring the effectiveness of your tools 217
Tuning the tools based on feedback 217
Measuring the effectiveness of your processes 220
Measuring the mean time to remediate 221
Optimizing the mean time to remediate 222
8.2 Gathering effectiveness with KPIs 224
Building the KPIs 224
Setting KPI targets 226
Driving change based on KPIs 227
8.3 Getting feedback 229
Getting feedback from conversations 230
Getting feedback from surveys 230
8.4 Security scorecard 232
Preparing for the scorecard 233
Weighting the scores for the scorecard 235
Creating the scorecard 236
9 Continuously improving the program 240
9.1 Keeping ahead of the attacker 241
MITRE ATT&CK 242
Cyber Kill Chain 244
9.2 Threat catalogs 245
Applying the OWASP Top Ten 246
Applying the MITRE CANE Top 25 249
9.3 Staying ahead of engineering 250
Keeping up with the coding languages 251
Keeping up with the technology changes 251
When hiring and training aren't enough 253
9.4 Stop chasing the shiny new tool 254
Use a capability matrix 255
Managing the tool and vendor 256
Buy the shiny new tool 257
9.5 Preparing for the worst 258
Appendix Answers to exercises 263
Index 269