Security quickly becomes at the heart of the Software Development processes in many organizations. Yet, they struggle with the huge number of issues, who is responsible for it and how to tackle them while also delivering fast. Most importantly, they need to decide about the priority of them. A technical view on security issues is not enough. It’s about the impact a security issue has on the business continuity of an organization. Most companies apply some sort of risk management approach to tackle security issues in software development. However, most practices are based on manual efforts which require a human being to intervene. It’s time-consuming. Besides that, security assessments which are done that way are very subjective. Meet Apiiro, which addresses application risk management based on business impact.
Setting the baseline
Before we jump into what Apiiro can do for your organization, let’s first set the baseline which acts as the starting point to addressing and fixing any security issues. Many companies employ multiple initiatives at the same time: scan existing source code using SAST tools, collect vulnerabilities across all third party artifacts in use, detects unwanted secrets across code repositories & configuration files, collect run-time issues and feed these back to Product Owners, etc. In the end there is a (hopefully) complete list of everything that requires the attention of a lot of people across the entire organization.
Where to start?
A traditional way
Typically, these companies start digging into the huge list of findings and try to pick the low hanging fruit first. That’s noble, but most of the time, this is seen from a technical perspective only. All security issues should have a so called CSVSS (Common Vulnerability Scoring System) which is an open industry standard for assessing the severity of computer system security vulnerabilities. In essence, it’s one of the building blocks for risk managers to identify the potential impact (likelihood X severity) in case something goes wrong.
A limited view
The above-mentioned approach leaves out the (potential) business impact. Using the traditional way does not tell the risk officer how important the application is for the organization. Although the CIA rating might help you here. Furthermore, he/she also does not know the potential future revenue of the application, thus how important it is to fix things (fast). In larger organization there is a lot of debate and competition on attention from persons who has a say in “proceed or stop”. CI/CD pipelines with quality gates are often not implemented on a large scale or also lack the business aspect. It’s either yes or no based on a technical analysis. Sometime risk officers just offer a Word file to be filled in and send back to them by developers. There can be so much that can go wrong in the process.
A Penetration Test is a good example here. Often, DevOps teams have to wait for a Red team or even an external security expert team to conduct a PEN test for their application before it can go live. PEN tests can be automated to some sort of degree. For example through the usage of ZAP. But the person in charge might test all aspects of the application which he/she thinks is relevant to test. The tester requires more contextual information to select / test the aspects which really matter. Skip the rest or unchanged aspects if you carry out PEN tests on a regular basis.
All of these issues feed the need to acquire smarter solutions which help security experts, developers and business representatives to prioritize, speed up and move faster with more confidence.
The code risk platform
Apiiro helps to get rid of the so called “checkbox processes”. Whereas these kind of processes are based on manual input & questionnaires, self assessments and which are periodically conducted, Apiiro uses data analytics, code based and automated processes to continuously assess every change of the software applications which are analyzed.
The code risk platform consists of various solutions which work together to provide security & compliance assurance, helps to orchestrate SDLC processes and tool orchestration. Besides this, it also tracks application components based on asset discovery and it focuses on CI/CD security & integrity as well as change management processes.
5 easy steps
According to the webpage which describes the code risk platform, there are just five steps to make it work:
- Connect Apiiro to all of your source code control and ticket systems. Don’t forget your CI/CD, SAST, DAST & SCA.
- Apiiro builds a complete and real-time inventory of your application (components).
- Risks that matter (most) for your applications are based on security and privacy posture.
- Risk mitigation is based on business impact and it automated across all of your (security) tools and SDLC processes.
- KPIs which are based on business risks and opportunities help you to measure your AppSec program.
Easier said than done, let’s take a look at some practical examples to make things more concrete.
It all starts with a complete inventory of your applications on-premise and in the cloud. Apiiro examines all repositories and projects to detect frameworks in use, infrastructure, attack surface elements, cloud security posture information, etc.
Risks are grouped and correlated with each other. For example, the platform shows how much applications write PII data to log files, how many and where secrets are exposed in source code and how many applications expose sensitive data through a (publicly accessible) API. Since it constantly updates the inventory, you also get a visibility into the current and past technical debt of your applications. Trends are visible from specific points in time. Suppose you lead a security program, now you can measure if you book any progress.
Business benefits using this approach are: less manual steps for developers and other security experts to conduct threat modeling. In addition to that, security teams oversee the complete landscape of applications and the business impact of the exposed risks. However, the biggest benefit is the “always up to date” inventory. Sine the SDLC iterates faster every day, using the “old way” to generate inventories, the situation now would be outdated tomorrow.
One of the biggest pain points of nearly every company is to implement governance related processes to comply to external and internal regulations. Compliance and auditing is one of the key aspects here.
External audits distract a lot of people in the organization to dig up evidence to show to the auditor. You have to show that you are “in control” all the times. The moment an auditor shows up, many people have to drop their work and assist in helping the auditor. Now this can be automated by detecting compliance violations earlier in the process and trigger remediation processes automatically. This is one of the smart solutions that helps everyone who is in charge of this.
It’s good to know that Apiiro can identify and trigger compliance processes for various compliance frameworks such as NIST, CIS, PCI, GDPR, etc. You can automatically hook in into ticketing systems such as Jira, send messages to Slack channels, etc.
The so called risk mitigation work plan is at the heart of these kind of processes. It prioritizes and enriches alerts with the right context from third party tools and other points of entry (for example API Gateways). Therefore it analyzes applications and data from design to code to cloud. Risks are particularly identified with business impact in mind.
Imagine an application with a very high CIA rating. This one is crucial to the business, but what if a vulnerability is found and you don’t see the actual context? Developers need to fix it ASAP. However, if the vulnerability is in a piece of “dead code”, there is no need to fix it. Remove the code and carry on. Smarter decisions help you to pinpoint these kind of efforts.
Two times high risk
Suppose an application has a high risk but the piece of source code is not deployed not exposed to the outside world in whatever shape of form. This is a less risky situation to cover compared to the same high risk issue in another application. The last one might be a critical application that is deployed multiple times a day serving very important customers that make important decisions based on this application. It’s very obvious that the second risk should have much higher priority compared to the first one. Every business analyst would agree that he/she misses this information from other tools that only look at the technical aspects.
Prepare your organization
Your (security) stakeholders and the top management of your organization might not be so aware of this. Business continuity is all about risk management. That is the theory, but in reality, a lot of security experts like CISO tend to think in terms of avoiding / controlling security (issues). Their view on the topic is a bit too narrow. They need to think from an application risk perspective to speak the same language as the top management. Not an easy task, since they need to shift their level of knowledge from the operational towards the tactical level. Perhaps they even need to shift to the strategic level. However, at the same time, it’s also needed to stay practical and concrete to apply the strategic choices to a tangible solution that works throughout the organization.
A number of key points to help you achieve this:
- Stop discussing about security issues in isolation, gather the right context in terms of business impact. Communicate this to the key stakeholders to get them on the same page.
- Always ask the question: in which way is this relevant from the business perspective: which risk do we mitigate if we fix it and what does it cost? What is the positive impact on the end-users of the application?
- Evaluate your existing security processes and gather requirements to automate the most time consuming manual ones. See at which points in time, tools can fit.
- Educate everyone and convince them to adopt this new way of thinking. Conduct demos and build sample business cases around it.
Security issues are everywhere in modern organizations. However, not every security issue poses the same risk in terms of business impact. Apiiro provides a “code risk platform” to assess your data & application sources to build an inventory of your application. Combined with risks which take the business perspective as the most important factor, you can pinpoint your security efforts. Security experts as well as developers save time and money, your organization will be more “in control” and less time is wasted on the fixing the wrong issues. Doing the right things wins here over doing the things right. Be sure to give it a try.
If you have more questions about Application Risk Management, feel free to book a meeting with one of our solutions experts, send a mail to firstname.lastname@example.org.