On Wednesday, March 3, 2021, at 10:00 a.m., the Senate Homeland Security and Governmental Affairs Committee and the Senate Rules and Administration Committee will hold a second oversight hearing in their ongoing investigation on the Jan. 6 attack on the U.S. Capitol.
The committees will hear testimony from Robert Salesses, the senior official performing the duties of the assistant secretary of defense for homeland defense and global security; Jill Sanborn, assistant director of the FBI’s counterterrorism division; and Melissa Smislova, the senior official performing the duties of the undersecretary of homeland security for intelligence and analysis.
You can watch the livestream of the hearing here or below:
A joint blog post from Veracode and ThreadFix
In today???s world, speed wins. Just take Amazon for example. You can place an order with the click of a button and have it delivered to your door in under twenty-four hours. Retailers that can???t compete with Amazon???s speed are falling behind. The same level of speed and efficiency is expected with technology. Companies are in a race to deliver new and innovative technology first. But aside from speed, companies are also concerned about the security of their software. It does you no good to release new software first only to have it compromised.
So therein lies the dilemma ??ｦ How do you release software fast while still implementing a comprehensive application security (AppSec) program? One of the most widely recognized solutions is moving security practices left. What that means is that instead of implementing AppSec scans right before production, which can be time-consuming, many organizations are starting their scans during the development phase.
But not every scan type can be conducted early in the software development lifecycle. Scans like penetration tests or dynamic analysis are best performed in runtime. Does that mean you should neglect dynamic analysis or penetration tests? In part 1 of the AppSec Bites podcast series, Tim Jarrett, Director of Product Management at Veracode, argues ???no.??? Dynamic analysis and penetration tests find flaws that earlier scans ??? like static analysis ??? can???t find. So, it???s worth taking a little extra time to run those scans.
What are some ways you can save time on AppSec scans? If you have scans that can be effectively implemented early, implement them early. If you don???t currently automate your AppSec scans, automate them. And lastly, consider leveraging Veracode???s sandbox capabilities for developers. As Kyle Pippin, Director of Product Management at ThreadFix states, ???The sandbox allows developers to get hands-on with risks before they get promoted to the security team. It enables developers to fix the low-hanging fruit.???
So, the overall takeaway is that speed and security are a balancing act. You need to consider the risks involved with your application, set expectations with the developers on what flaws should be prioritized, and decide on what scan types make sense. Weigh the tradeoff of time and security for each application and follow best practices for speed to market, like shifting security left as much as possible, automating scans, and leveraging developer sandboxes.
For more information on finding the balance between speed and AppSec coverage, check out part 1 of our recent podcast series with ThreadFix.
A joint blog post from Veracode andﾂ?ThreadFix
When it comes to maturing an AppSec program, there are several best practices that can help you get started. In part two of our AppSec podcast series, Tim Jarrett, Director of Product Management at Veracode, and Kyle Pippin, Director of Product Management at ThreadFix, share the top 3 things they???ve learned from organizations that have successfully matured and scaled their AppSec programs.
1. Know your anchor points.
The first thing you need to think about when maturing your AppSec program is the current landscape of your organization. What are the things you can???t change? It could be that you can???t find more AppSec resources (supply and demand) or that there is no budget for additional scan types. Whatever the constraints are at your organization, you need to acknowledge them so that you can find acceptable workarounds.
Next, if you are not doing so already, you need to automate as much as possible. If application security scans are automated into the developers??? existing tools and processes, there will likely be an increase in scan activity and developers will have more free time to work on securing their code and remediating flaws. Automation can also be used for other purposes, like onboarding. Since security professionals are hard to come by, they are often stretched thin for time. Because of this, security professionals can become a bottleneck when it comes to software deployments. If you automate some of their tasks, like onboarding developers in security best practices, it can free up some of their time and improve speed to market.
3. Focus on outcomes.
Last, but certainly not least, it???s important to focus not just on finding, but fixing flaws. You can help developers improve fix rates through training measures. For example, Veracode Security Labs is a great tool to help developers practice writing and remediating code in their chosen language. Implementing a security champions program is also a useful way to help make security top of mind for developers. Most developers don???t take security courses in college, so unless they are learning about security at their organization, chances are it???s not a strong skillset. If you find developers who are interested in learning more about security, you can train them to be security champions and they can take those skills back to other developers.
To learn more about the best practices for maturing your AppSec program, check out part 2 of our AppSec Bites podcast series with Threadfix.
Over the past several months, many organizations have had to shift their operations to a fully digital platform. This sudden shift was more challenging for some industries, like government, than other industries, like technology. And aside from having to adapt to fully remote operations, many organizations were also subject to tighter budgets, forcing them to become more efficient.
Many organizations, even those with higher budget scrutiny, have realized the importance of automating their processes to improve efficiency and even moving their operations from on-premises to the cloud. As Kyle Pippin, Director of Product Management at ThreadFix, mentions in the AppSec Bites podcast, there were a significant amount of organizations contemplating transitioning to the cloud prior to the pandemic. So, is it the pandemic that caused the surge in the digital transformations, or is this a trend that was already underway?
Tim Jarrett, Director of Product Management at Veracode, thinks it???s a bit of both ??? some companies were already interested in digital transformations, so the pandemic was the push they needed to take that next step, and others might not have been considering a digital transformation but are now realizing the importance.
The pandemic has also changed the way people work. There is less of a focus on team meetings and more of a push to start projects quickly and pragmatically. Organizations are looking to start digital transformations fast and efficiently and craving best practices on implementations.
Find out more about how the pandemic has affected AppSec in part 3 of our AppSec Bites podcast series with Threadfix.ﾂ?
The key to successfully implementing DevOps practices is relationships. It???s about breaking down the existing silos between different functions that deliver software, like development and operations. These functions need to work toward a common goal, efficient software delivery.
The other relationship that is key to implementing DevOps is the relationship between security professionals and developers. Developers have had a historically strained working relationship with security professionals. Developer???s performance is often linked to speed of deployments, but security professionals are more concerned with the security of the software. So, when security slows down production to conduct scans or remediate flaws, it can be stressful for developers.
The first thing you should do to help strengthen the relationship is to establish a common goal. Both security professionals and developers should be working toward fast, secure deployments. Next, since part of DevOps is shifting security left, it needs to be done in a way that won???t add too much extra work for developers. For example, automate and integrate the security scans into developers??? existing processes. ﾂ?
Finally, consider promoting people from within to lead the DevOps initiative. If you hire someone from outside that doesn???t know the structure of your organization, it could cause increased tension and unnecessary delays. Count on your team to work together and find ways to successfully implement the new process.
For additional information on implementing DevOps, listen to part 4 of our AppSec Bites podcast series with Threadfix.ﾂ?