Netsparker founder Ferruh Mavituna was interviewed by Paul Asadoorian, the host of Enterprise Security Weekly, in show #164. They talked about building a web security program – how to start a program, how to adopt a realistic approach, and how to design it with enterprises in mind. Matt Alderman, CEO at Security Weekly, also joined the conversation.
Ferruh started off by discussing the concept of ‘shift-left’. This is an attempt to redefine the role of Integrating Security into the SDLC, moving from the traditional model of develop-build-test-deploy, where web application security may be considered only at the test stage. Instead of retrofitting security at the close of production, security is moved left (i.e. earlier in the software development stage). Much has been written on the benefits of adopting this approach, with some renaming the field DevSecOps to place the emphasis on security concerns right at the centre of development methodology.
Ferruh argued that while this approach is correct in the longer term, it is not the most realistic place for enterprises to start. Many organizations are not even in contact with their DevOps teams, and are very far behind trying to figure out how to implement shift-left! There needs to be a more careful, planned move from right to left, not a sudden shift.
Ferruh and Paul agreed that there are political and financial concerns within an organization that start to arise if you suddenly insist on starting from the left. You will need approval from the board and upper management, and the ability to answer their questions about budget, execution and timescale. The issue, in a word, is numbers. You will be asked to prove the level of improvement in security and if it would outweigh the required investment. As Ferruh pointed out, this is a difficult question to answer unless you have trackable data.
In order to build trust and make your case, you need to be able to prove to management that what you have done so far has improved security measurably. Starting left takes longer and allows for a period in which you can suffer a breach. If that happens, you’ve lost all trust and support.
Instead, companies that want to improve their security need to first look at where they are right now. That means discovering what applications they have, since it is unlikely that they know. Then, they can classify the severity of an attack on their assets, prioritize risk, and apply firewalls as temporary measures to reduce exposure. As Ferruh put it:
First of all, put out the fires. Then ensure you are not creating new fires.
Starting from the left involves a careful rebuilding of the culture of development in an organization, complete with tooling and automation, all of which has to be learned, implemented and tested. This could take up to two years. You can’t do DevOps overnight!
Ferruh's recommendation is that it is better to start with what takes the least amount of effort, but gives the maximum impact. Such a starting point serves as a guide for how to prioritize resources and allocate the budget. It also produces a lean, results-driven format in which improvements are clearly visible. The security team can then use this data to persuade management to facilitate further shift-left activities to become the core of a longer-term, enterprise-wide web application security program.
Watch Ferruh’s interview on Web Security Program and A Realistic Approach for Enterprises - Ferruh Mavituna - ESW #164, and take a look at the relevant Show Notes.
For further information about the shift-left concept, read Announcing the Netsparker Whitepaper: How to Secure Thousands of Websites with a Small Security Team.