4 Tips for Adopting a Practical Approach to AppSec
September 18, 2023
How difficult is it to try and have a real meaningful conversation in a loud bar? The music that is played makes it impossible to hear, and the noisy conversations around me really challenge my attention span when trying to focus on the conversation I’m trying to lead. Well, this is exactly what we are asking our security teams to do.
With the number of security tools in use, and the massive amount of alerts that are generated by each tool, it feels impossible to gain focus. Obviously, we can ask our team to focus on what matters, but how can they cut through the noise in an effective way?
In this blog, I’ll present the main disturbances drawing the attention of a security practitioner and how I apply the principles of practicality to handle them.
Let’s go one level deeper to understand what slows down the work of AppSec practitioners – and why it is impossible to focus and pay attention to the most relevant issues.
When alerts come fast and frequent, it is impossible to expect practitioners to be able to seriously address each alert. Personally, I'd prefer having a tool that informs me once a day about a problem that requires my attention – instead of bombarding me with 2,500 alerts that turn out to be a waste of my time.
A big source of noise is static code analysis – which produces findings that are both highly theoretical and difficult to understand without technical expertise.
This issue becomes even more significant when we adopt a "shift left" strategy - shifting security responsibilities to engineering. While it might seem beneficial for the security team, it creates friction with engineering, who (not surprisingly) do not appreciate the overwhelming amount of noise generated by static code analysis tools.
Many organizations try to add security by buying more security tools. Companies, including startups, can accumulate 15 to 20 different security tools, some with overlapping functionality. I often encounter security products that offer fancy ways to display data (like different colored pie charts), but ultimately don't significantly impact security.
For example, most dependency management tools lack context. They may highlight vulnerabilities with fancy names and mention potential risks like ‘remote code execution,’ but fail to provide vital details on how these vulnerabilities are actually being exploited in the wild. This leaves engineers confused, investing hours checking commits and assessing potential application functionality issues after merging updates.
Given the level of noise created by overlapping tools, each with many alerts, security leaders fare best when they adopt a practical approach to guide practitioners through the noise to fight the actual (rather than theoretical) fires.
Here are some techniques I’ve implemented that actually work in today’s security landscape:
In my team, we don't ignore vulnerabilities – rather, we focus on understanding their relevance to our specific applications. When we identify a vulnerability, we check to see whether the vulnerable function is even used in our application. If it's not, it means that the vulnerability could not be exploited in the context of our application and therefore it is not relevant for us.
I favor taking a practical approach to choosing and using tools for AppSec, too.
First, it’s crucial to build a comprehensive threat model. This means thoroughly analyzing potential breach scenarios and identifying existing mitigating controls. By doing so, you can understand actual security needs and avoid making unsupported investments in security solutions.
Second, we favor tools that respect our time and help us focus on the alerts that matter instead of drowning us in an ocean of irrelevant noise.
Adopting a practical approach to compliance is also important. Sometimes companies truly need to add tools that support compliance requirements like audit trails and remediation timelines. Yet here, too, you need to choose tools carefully.
Generating general SBOMs without any context makes no sense, since you will get a long list of issues which you are not able to fix. You ideally just want to ignore what you don't execute or load because it is not relevant.
We’re also practical in our headcount. To ensure that we have the right people on the team, we focus on hiring security professionals with an engineering mindset, who not only identify security issues but also take ownership and actively work to fix them. Engineers who can both diagnose problems and implement solutions are invaluable assets. This practical approach to application security not only enhances our security posture but also fosters better collaboration between security and engineering.
At Cresta, we aim to follow the guidelines I described above. This is also what drew our attention to using Oligo, which helps us align our actions with these practical principles.
By using context from the running application, Oligo helps us detect the relevant vulnerabilities that could be exploited in the context of our application. This approach helped us to significantly narrow down the amount of vulnerabilities we had to review, and also helped us prioritize the important vulnerabilities using specific application information, rather than focusing only on a general CVSS score like most tools.
Another important aspect is the detection of actual attacks. While traditional tools might blindly shut down actions they think are suspicious which often turn out to be wrong and only create noise - we liked the focused approach Oligo offers. They helped us increase our resolution to see application security down to the library level, identifying suspicious behavior in each library. This granular visibility helps us avoid unnecessary disruptions.
It’s time for security to adopt a more practical approach: shifting focus towards consolidation and away from prioritizing pie charts. The goal should be to reduce reliance on an excessive number of tools, preventing the need for additional headcount to manage them all. Investing in Oligo has delivered genuine value for Cresta by significantly improving security measures without creating a flood of unnecessary data and tasks for security teams.
Oligo helps organizations focus on true exploitability, streamlining security processes without hindering developer productivity.
