Adding trust to AppSec and DevSecOps

Adding trust to AppSec and DevSecOps

App Store There is an inherent level of trust associated with them, meaning we rarely read the fine print in the terms. It’s easy to assume that apps must be secure, robust and reputable because they’re hosted by a well-known brand.

While this is true in many cases, some apps are either knowingly or unknowingly malicious. Apps may collect, aggregate, and share user information with other apps and providers, and may contain vulnerabilities that allow them to be directly exploited.

Technology and cyber are complex, so it is unrealistic to expect most people to be up to date with the latest capabilities, processes and security concerns. When a parent is asked by their child, “Can I download this app on my phone?”, they need some kind of cue to help them make an informed decision. How the app looks, app name and review information is available to anyone today. This is simply not enough.

Innovation vs. Security

While safety is paramount, it is important not to discourage innovation. It’s fantastic that anyone can access a basic coding package to build an application. however, A way to build increased trust and assurance is needed. There needs to be a minimum standard and requirements to ensure apps are fit for purpose and cyber secure. While this responsibility rests with the app developer, it needs to be evaluated, assured, and signposted by other parties to ensure that it makes sense to the app’s customers.

The cybersecurity industry has been providing cybersecurity testing and assurance in the form of penetration testing and code reviews for many years. Most well-known apps have passed multiple rounds of evaluation to test both functionality and cybersecurity. But although these applications are frequently evaluated, there is no consistency. Some organizations rely on tools, some have a method, some take a high level assessment, and some do a thorough root and branch deep dive.

Phrases like security review, application review, penetration testing, and technical assurance activity are thrown around, but they don’t have a consistent meaning. As a result, security assessments are highly inconsistent and depend on factors such as assessors, tools, methods, time of application, and even the year performed.

Obviously, an assessment is better than no assessment, but the industry must pull together to create something that is consistent, repeatable, risk-based and scalable. A vendor or tool from Security Company A should be able to perform the same tests as Company B with a consistent approach to reach the same conclusions. And not only do the results need to be consistent, they need to be presented in a consistent and scalable way.

We must make application security scalable. This means identifying to deliver against a minimum set of standards and requirements. We also need to build a complementary reporting framework that is hyper-scalable and application programming interface (API) and machine-readable. This requires clearly identifying what is assessed, what is identified and what is the conclusion or outcome.

Achieving these goals requires the application development and cybersecurity industries to work together. By focusing solely on standards and using consistent reporting frameworks we will be able to produce more consistent and comprehensive cyber assurance results.

Not for organizations that lose purpose or add value to their application security. Having the ability to present results in different ways based on the application, audience and scope will still be possible, for example. However, a minimum set of consistent reporting controls and standards across all testing platforms, processes and frameworks is essential.

This approach will drive both improvement and consistency across applications. However, large digital marketplaces need to inform consumers when an application is safe. There are many different ways that this can be achieved. Most initially, a thumbs up/thumbs down is useful. Alternatively, marketplaces could develop more granular rating systems.

Now is the time for art to act.

Around the world, governments and regulators are looking to digital marketplaces to identify ways to create better and more consistent security practices. While regulation may not be on the horizon today, it is likely that digital marketplaces will increasingly issue guidelines and recommendations – with the intent of driving improvements.

In an interconnected and global supply chain, this can result in governments providing different requirements. This, in turn, can increase inconsistencies and deviations from the intended goals of standardization. So it is within the gift of art to come up with a solution to this problem itself. Through collaboration, engagement, and dialogue, the industry can collectively create standards, provide consistent assessments, and provide consistent signposting to customers about the effectiveness of an application’s security posture.

Crest Recently created a relationship Open the Web Application Security project (OWASP) and introduced the OWASP Verification Standard (OVS) for users starting this journey. More information is available here.

Roland Johnson took over as president of Crest in 2021, having previously served as the company’s director of international development. He was previously the founder and CEO of Nettitude, a provider of penetration testing, compliance and risk management services.

Source link

Leave a Comment