The good news is that running an effective application security program remotely is no different than running it in the office. However, the reality is that most companies are not at the point of being in this sought after utopia of running an effective application security program in the office. Instead, application security consists of a lot of manual processes, handholding, and looking over developers’ shoulders. The three most important things in application security are automation, automation, automation.
This post will go through several areas of application security and recommend how they can be automated and performed remotely so that you can benefit in this time of remote work. We hope you will use this unique time as an opportunity to push your organization forward in application security and to modernize your tools, methods, and workflow.
Integrate Into Communication & Tracking Tools
An important first step is to integrate security notifications and tasks into your already existing SaaS tools and workflows, such as JIRA, Slack, PagerDuty, MS Teams, etc. All tasks and notifications should be added to these tools instead of being handled manually or put in yet another tool to check/login to. This ensures that the security team and software developers will receive notices and be on top of tasks since they are in the tools they already use.
Security tools should be run when needed through an automated workflow. Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools should be started when code is checked in or deployed to development environments. Integrate SAST and DAST tools into CI/CD software such as Jenkins or CircleCI to have them run automatically. When these tools detect issues, they should be automatically assigned and tracked for remediation which can be done since the security tools are integrated into the communication and tracking software.
Automate Rule Enforcement
Automate the enforcement of security rules and policies so that someone does not need to ensure they are being met. This is especially true when everyone is working remotely and monitoring policies is nearly impossible. For example, do not let developers check in or deploy code if there are known vulnerabilities that have been found through SAST/DAST testing. Monitor task notification/tracking to ensure that vulnerabilities are being remediated according to the timeframe required in security policies. Trying to do this manually when in the office is difficult enough, but doing it while everyone is working remotely is nearly impossible for all teams, and increasingly harder for large teams. Go through your security policies and see which policies you can turn into automated checks.
Train your software developers with on demand hands-on training. Training gives software developers working from home a break and helps to provide them with variety in their day. Working from home for some people can be difficult and helping to break up the day with something different can be useful. HackEDU has seen an uptick in usage while people have been working from home. Training developers helps to scale and automate the process of reducing vulnerabilities in software.