🤔 Why AppSec for business?
Salute,
Again, it’s painful when there is a misunderstanding about why IBeshechka exists and why we even exist.
Let's see how we can explain and convey this idea differently to the key person about making a decision.
Here is what option I can offer based on my profile and what I usually implement when I talk about it at conferences or generally share with you.
1. What is it and why is it needed?
We are building a system in which every code delivered to production is automatically checked for security. Now your code goes into production without IS verification, or verification occurs chaotically - once a quarter, before an audit, after an incident, etc. It’s like a fire inspection once a year instead of a fire alarm, and in the event of a fire, risks arise that have to be addressed at the same time.
2. What exactly happens?
An automatic pipeline that checks the code statically for each commit (SAST), checks dependencies (SCA), scans containers, and looks for secrets in the code. As well as manual DAST testing of web applications and APIs. And also the process of managing found vulnerabilities - not just “here’s a 200-page PDF report,” but routing tasks in Jira to specific developers with priorities and deadlines.
3. Why are we even doing this?
Reducing the real risk of an incident, compromise, leak, etc. The cost of an incident versus the cost of prevention is a tenfold difference.
4. Why can't someone else?
The simplest thing in this answer: there are no competencies in this area, no direction and no opportunity to build correctly right away, rather than learning in the process and spending incredible amounts on it, otherwise there would be no vacancies in the search for these positions. (usually this works where everything is actually built from scratch)
For example, buy a license for a tool like Checkmarx, PT Application Inspector, Solar appScreener and do it manually for the developers themselves, where a tool without expertise is like an MRI machine without a doctor. That is why you need a person who will customize the rules for your stack, filter out false positives (they reach more than 70% of total positives), prioritize them according to the real risk for the business, integrate them into the pipeline, etc. Just buy a scanner and run it - you’ll get a 500-page report that no one knows what to do with or how to solve it, plus to get the report you’ll have to tinker with the setup, even if there is integration and setup from the vendor/integrator - these are additional costs that will cost many times more
But internally we already know the infrastructure, processes, circuits, Gitlab, Nexus. We don't spend 2 months diving. Plus, we don’t just scan and report - we build a process that works after we leave. Automation remains with you, the pipeline remains with you, the team learns and begins to actually work with it with their hands, and not just mindlessly fulfill the next requirements that are not tailored to their stack.
5. What does the customer get as a result?
• Fully deployed and configured information security testing infrastructure
• Results of a comprehensive security analysis
• Working automated information security pipeline in CI/CD with Quality Gate
• Vulnerability management process via ASOC/ASPM and Jira
• Secrets management (Vault)
• Information security incident processing process
• Analytical reports with risk assessment, triage and recommendations
• Documentation: UML pipeline, technical manual, recommendations
• Trained team - through collaboration, consultation and testing of false positives for vulnerabilities
• Ready foundation to further increase DevSecOps maturity
PS: well, just throw it on top from your case, but obviously you, like me, are already tired of answering such questions from time to time and some kind of template will be useful to you
PPP: and soon we’ll also touch on marketing and a little funnel for AppSec, well, yes - here you also have to work with it somehow and how to upgrade yourself 🙃
#devsecops #appsec #paper #reco #pmi #humanres