There’s no such thing as “done” with application security
If you’re like most companies in the software business, you’re relentlessly developing new features, streamlining workflows and improving the user experience. But every single change to your platform also changes how you might be attacked. As you develop new code, you’ll almost certainly inject new vulnerabilities. Those need to be addressed.
Technology evolves so quickly that it requires you to constantly revisit your security to stay ahead of new vulnerabilities. The process never ends. As one director of application security described it, “Once you know the rules, the game changes.”
Download Ted's free ebook, "How to secure your software faster and better."
The best way to deal with this is to treat security as a cycle, a process that continually repeats. However, many people tend to think of security as a one-and-done process, something that is linear with a start and finish, after which it doesn’t need attention again.
But that’s wrong. Security is not a line; it’s a loop.
The only constant is change
Change is inevitable.
For example, your customers’ demands change. Sometimes they require new security controls. Sometimes they want to change their model, such as moving from software that is hosted on-premises (which runs at their physical site on computers they own and control) to software that is cloud-hosted (which runs remotely on computers owned and controlled by a service provider). Whatever the change, they need assurance that your security meets their new needs.
Another type of change is the invention of new attack techniques. Attackers are just like you: they're constantly innovating. They’re relentless in inventing new ways to exploit systems. You need to constantly investigate these new techniques, too. Security truly is an arms race, and you need to keep up.
Lastly, widespread vulnerabilities in core technologies are discovered. The very nature of building software is that you’ll have dependencies. Whether that’s on a cloud provider, third-party libraries, integration of third-party solutions or some other shared component, your security relies on someone else’s security to some extent. Those third parties are evolving, too, while at the same time, new exploits are discovered in them.
Change happens all the time, and you need to reevaluate your system to defend accordingly.
Take a lesson from the ultimate hackers
Change impacts your security, and to deal with that, you need to adapt. You want to be like nature’s ultimate hackers: squirrels.
If you’ve ever seen a bird feeder, you’ve seen squirrels defeat almost any attempt to prevent them from stealing the feed. Squirrels don’t care that the feed isn’t for them. To the squirrel, it’s about survival — steal the feed or die. So they relentlessly adapt to whatever barrier is thrown at them.
With application security, you’re up against the same level of intensity. Like squirrels, your attackers will stop at nothing to break the rules of your system, exploit functionality and gain access where they don’t belong. That’s how your attackers think, and that’s how you must, too, if you want to defend against them.
An iterative approach to security
All of this change requires that you take an iterative, ongoing approach to security.
Many people mistake security as being a linear process. Do step A, then step B, then step C and you’re done. But that’s wrong. Security is not a line; security is a loop. Yes, there is a process, but once you finish, you must repeat it. Forever.
The process follows a simple formula:
- Establish/update your threat model
- Perform security assessment
- Remediate your vulnerabilities
- Continue developing but with security in mind
- Repeat
As a senior vice president of product management put it, “There’s no finish line for security.” You will refine your process, but it will never end.
Reassessments keep your application in the clear
The best way to do this is through what’s called reassessments. They entail the ongoing process of evaluating your system for security vulnerabilities, so you can continue to improve it. Eradicating vulnerabilities is the point of security testing, and given all of the ways the world is changing, vulnerabilities will continue to appear. Reassessments ensure you continue to identify them so you can fix them.
Therein lies the value of reassessments. Even though you’ll introduce new vulnerabilities as your application inevitably changes with time, you’ll be able to catch them. Reassessments help you deal with change, identify the new vulnerabilities that get introduced over time and ultimately keep your system as secure as it can be.
You’ll never be “done,” but you will be building a better, more secure software system.