Improving application security for most organizations means implementing more of the Secure Software Development Lifecycle (Secure SDLC). What can you do once you have implemented everything? Or what can you do to improve what you already have in place? One way would be to measure how everything is currently working and then make changes, measure, and continue.
The problem with this method is that application security metrics can be difficult for a number of reasons. Using the number of vulnerabilities found and fixed does not take into account the severity of each vulnerability. Even if you do take into account severity, why is the number of vulnerabilities decreasing? Are you getting worse at finding them or are you doing better at preventing them? It is very hard to tell what is going on by tracking basic metrics in application security.
One way to improve application security (AppSec) without having perfect metrics is to create a feedback loop. Feedback loops are simple: give people access to information in real-time and give them a chance to change. There have been many studies showing the effectiveness of feedback loops and how it helps change human behavior. Feedback loops can be used in application security to help improve code by changing developer behavior.
Feedback loops have four stages:
After the action, more data is collected and the feedback loop starts again.
One example of a feedback loop is when a dynamic speed display is added next to speed limit signs. A car’s speed is given to the user (evidence) right next to the legal speed limit (relevance). People are reminded of the downsides of speeding, such as tickets or accidents (consequences), and most drivers slow down (action) because of this. Not only that, but drivers slow down on average 10% for several miles beyond the sign. This feedback loop is effective in getting the desired outcome and having people change behavior.
Feedback loops can be leveraged in application security to help get the desired outcome of more secure code and fewer vulnerabilities. One way to do this is by leveraging a Static Application Security Testing (SAST) tool, such as Parasoft, taking the vulnerability data from the tool and providing it to the developer that wrote the code along with the severity and potential impact of the vulnerability. Developers see the security mistakes they have made in context and realize the potential impact of the vulnerabilities. Next, developers fix the relevant mistakes and take relevant secure coding training based on the vulnerabilities that have been found using a platform like HackEDU to ensure they fix the vulnerability correctly. Developers get better at writing secure code because they are learning about mistakes they have made after seeing the consequences. The feedback loop continues along with the secure software development lifecycle and the result is more secure code.
The feedback loop this creates is:
This feedback loop helps to change developer behavior and starts to reduce the risk of vulnerabilities in software. Developers improve their ability to write secure code, they become more conscious of potential issues in code, and they understand the consequences of not writing secure code.
There are other areas of application security that can use feedback loops as well. All of them are meant to help inform and improve the behavior of software developers. For instance, one area includes providing 3rd party library vulnerability information to developers with a Software Composition Analysis (SCA) tool such as OWASP Dependency Check and making the developers responsible for upgrading the libraries. Developers will be much more deliberate in what 3rd party packages they use if they even choose to use them at all -the cost benefit is shifted to the developers.
Another area where feedback loops can be used is in updating secure coding standards based on software scans or code reviews. A developer is provided with vulnerabilities along with the severity and impact. If applicable, the action that the developer takes is to put in place a coding standard based on the issue found. If there is already a standard in place for the issue, or if the issue does not lend itself to a standard, then the developer may need to practice secure coding in a code review platform like HackEDU.
Without perfect metrics, application security can still be improved. Since software development is a human-based activity (for now), changing developer behavior and leveraging feedback loop scan have a tremendous effect on improving application security.
Jared Ablon is the CEO of HackEDU, an interactive training platform for secure coding training, proven to train developers. Previously he was the Chief Information Security Officer at AirMap where he was the recipient of the Chief Information Security Officer (CISO) of the year award by the LA Business Journal.