It’s no secret that, today, the diversity of R&D allows companies to rapidly introduce new applications and push changes to existing ones. But this great complexity for application security teams results in significant AppSec management challenges, according to Barak Tawily, co-founder and Chief Technology Officer (CTO) of Enso Security. These challenges, he says, include the difficulty of tracking applications across environments, measuring risks, prioritizing tasks and enforcing uniform Application Security strategies across all applications.
But as companies push out code faster than ever, the application security teams aren’t able to keep up — and may not even know about every application being developed internally. argues that application security today is often a manual effort to identify owners and measure risk, for example — and the resources for application security teams are often limited, especially when compared the size of the overall development team in most companies, Tawily believes. Indeed, he argues that most AppSec teams today spend most of their time creating relationships with developers and performing operational and product-related tasks — and not on application security. Here, we talk to Tawily about AppSec and why enterprise security should be concerned with AppSec.
Security: What is your background and current role?
Tawily: I began developing applications as a hobby at the age 14 with the hopes of becoming a “white-hat hacker” one day. I started my professional career as an application security consultant, and worked with more than 100 companies worldwide for a few years.
In recent years, I worked for Wix.com securing millions of websites, where I specialized in SSDLC (secure software development life cycle). I ended up as Security Development Team Leader, which allowed me to focus on AppSec automations, including automating visibility, mitigations, and vulnerabilities detection.
After several years working in the security industry, I witnessed many AppSec teams struggle to apply their AppSec strategies throughout their organizations, due to many challenges affecting the AppSec world. I was eager to use my experience in order to help AppSec teams manage massive development and enforce their program continuously and automatically. As such, I founded enso.security, the world’s first ASPM (Application Security Posture Management) platform.
In addition to my work at Enso Security, I am an application security researcher, blogger, bug bounty hunter, and the author of Autorize, the most popular open source tool for detecting authorization flaws.
Security: What are the challenges most companies face when it comes to application security?
Tawily: The best way to understand companies' challenges and, particularly AppSec as it is today, is to look into the past and understand the transformation of the development methodologies.
Until recently, the waterfall model was most commonly used, whereby AppSec teams would join the testing phase as a gator. AppSec teams could ensure that all required security tests and activities were performed on all applications, allowing the company’s AppSec strategy to be properly carried out.
Nowadays, companies try to be as agile as they can and businesses aim to deliver products and features as fast as possible, while developers solely focus on writing business logic code.
Due to this change, the industry has made huge progress in the DevOps area and everyone agrees that infrastructure should be managed and be transparent to developers (managed DBs, managed kubernetes clusters, serverless functions, infrastructure as code, etc.).
Unfortunately, in an agile world, AppSec engineers face huge challenges.
Developers can now cause significant changes to production with just a few mouse clicks and as a result, the AppSec world has turned chaotic - developers constantly push new code while AppSec teams lag behind, struggling to keep up with the pace.
To summarize, AppSec teams need to cope with the following challenges:
- Rapid changes of application environments
- Lack of visibility
- Lack of prioritization
- Lack of resources
- Mandatory automations
Security: What are the pain points that AppSec engineers face?
Rapid changes of application environments:
In an agile world, developers can easily deploy new code to production without the AppSec team’s knowledge.
New code might be abused and/or introduce new vulnerabilities or logic flaws, hackers might exploit these vulnerabilities and cause damage to the organizations while AppSec teams are left in the dark, trying to keep up.
Due to huge progress in the infrastructure area, developers can choose many ways to deploy their code. In a single organization, you might have several types of cloud environments, CI/CD pipelines, source control managements, log aggregators, reverse proxies, and more. It is therefore really hard for AppSec engineers to identify changes by looking into these systems because there are too many systems to look at. This means that AppSec teams don’t have enough visibility on their environment.
Therefore, AppSec teams have to integrate product/s in order to gain continuous visibility and have a clear understanding of what kind of data they need, based on their AppSec strategy and resources.
Are they looking to identify new apps? New endpoints including PII? New code deployed? Etc.
Even if you gain visibility, you need to choose where you are initially going to invest and how much, which is not a simple question. Out of many applications, you need to choose which activities you are going to apply to each application, based on application’s criticality (that requires deep visibility and understanding a business’ critical assets).
Resources & Automations:
Throughout my career, I have seen many AppSec teams with a seemingly “good” ratio between AppSec engineers and developers of 1:100. It is obvious that a single AppSec engineer can’t cover 100 developers pushing code on a daily basis. So, AppSec teams have to implement security products and utilize automations in order to be equipped to handle and enforce their AppSec program throughout the organization.
Security: Why is application security important for enterprise security?
- Reputation: None of us will use an application if it has had a website defacement, even if the hackers didn’t access our personal information.
- Privacy Violations: As clients, we expect applications to store our data in a secured manner. We see a lot of users stop using particular applications in cases of personal information leakage or any other privacy violations, which leads to direct damage to the business.
- Financial Damage: Most of the application hacking campaigns today are created by attackers for their own benefits (e.g. gain money) - attackers wish to access credit cards, take over machines, steal sensitive information or intellectual property.
- Regulations: PCI, GDPR, CCPA, and many more regulations expose enterprises to lots of legal issues and financial damage.
Security: What are the issues with the time management of the application security process?
Tawily: AppSec teams must manage their time very carefully in an agile world.
Their AppSec strategy is very much determined by the size of their team, their resources and the amount of developers in the organization. In an agile environment, the amount of work is disproportionate to the number of security engineers in a company - the workload is very high in comparison to few security employees. This requires serious prioritization and heavy use of automated tools. AppSec team managers must find ways to optimize their security strategies and pinpoint the most critical assets, in order to increase efficiency and ultimately maximize the company’s security. In order to manage their responsibilities and secure the organization’s critical assets, AppSec teams must constantly adapt and refine their AppSec strategy.