A Primer on Application Security Engineering
Application Security serves as a vital part for any organization’s digital ecosystem. With the proliferation of cyber threats in today’s world, it’s natural to emphasize the importance of comprehensive application security assessments to uncovers & address vulnerabilities timely. However, an ignored aspect of Application Security is Designing, Deploying and Maintaining the solutions that help organizations facilitate the various activities in an Application security lifecycle, that is Application Security Engineering.
I view the engineering aspect of Application Security as separate from Application Security assessments as the primary skillset and the focus of these activities are different. Through this article, I hope to outline my thoughts on the need for Application Security Engineering and propose a structured approach that organizations can refer to build and enhance their own processes.
Need for Application Security Engineering
In my consulting experience, I’ve worked with a plethora of clients for enhancing their Application Security processes and technology stack, and one thing that has struck me is the difference in how they view their application security risk and thereby adopt various processes and tools to address those risks. By far, the biggest pain point I have found is that their Application Security process and technologies are completely disjointed from their software engineering processes. As a result, any process enhancement and technology adoption for Application Security can run into integration issues with their software engineering pipelines. To address this concern, it is important for organizations to develop a tight coupling of their Application security activities with their engineering pipelines, which should ideally lead to procuring, deploying and maintaining application security tools which can be easily assimilated into their software engineering pipelines.
How to implement Application Security Engineering
The core pillars of cybersecurity in the context of an organization are People, Process and Technology. In that regard, Application Security Engineering can be viewed as shown in the below graphic.
To understand how a mature Application Security infrastructure looks like, the below architecture diagram might help to view the relevant components or tools that would be established by Application Security Engineering.
Keeping the above in mind, here’s a broad approach that organizations can follow to establish Application Security Engineering.
To adhere to this approach, certain questions arise which must be considered by organizations in each stage of the process. These are as follows:
- What is the right skillset?
- How much is the cybersecurity budget?
- Who would be the stakeholders for Application security engineering? What are their responsibilities?
- Can in-house tools be developed? Are commercial or open-source tools available to fit the need? Would any customization be needed?
- What is the organization’s system engineering pipeline? Does it offer scope for integration/enhancements for application security automation?
I’ve written a few articles to help provide insight on these questions:
- Guide for an effective Cybersecurity budget for startups
- Build a Cybersecurity Talent Framework
- Guide to Cost-Effective Application Security
- How to choose the right Cyber Security solution
Conclusion
Let me summarize the core thought of this article — Application Security Engineering is just as important as Application Security assessments. Organizations should give serious thought to how they establish a mature Application Security infrastructure to meet not just the current requirements, but also to foresee future needs and allow the infrastructure to scale accordingly. That’s where Application Security Engineering will benefit them the most.
Like what you read? Do consider following Cyber Security Advocacy where I publish weekly articles to share my knowledge and experience from over a decade in Cybersecurity.
