The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Tanya Janca, Founder of We Hack Purple Academy and author of the best-selling book “Alice and Bob Learn Application Security.” In this conversation, Tanya shares her insights on application security (AppSec), its role in the security organization, and challenges for AppSec professionals.
Natalia: How do you define application security?
Tanya: Application security, or AppSec, is every activity you do to make sure your software is secure. Let’s say there’s a Java developer that uses Spring Boot, and there’s a vulnerability. They hear a podcast about it and say, “I think we should probably update it because it sounded really scary on the podcast.” That contributes to application security.
However, quite often when people talk about application security, they are talking about a formalized program at a workplace to make sure that the applications being released are reliably secure. We want to make sure every single application gets security attention, and that each gets the same security attention and support. We want to do the best we can to verify that it is at the posture that we have decided is our goal. Each organization sets that differently, which I talk about a lot in the book I released last year, but basically, application security professionals want to minimize the risk of the scary apps and then bring everything across the board up to a better security posture. That requires talking to almost everyone in IT on a regular basis. I like to think of application security folks as techie social butterflies.
Natalia: How does the security skills gap impact AppSec?
Tanya: I’m obviously biased because I run a training company, but I started it because people kept asking me to train them on how to do it because there is a gap. There is a gap, in general, in IT security with finding someone who has experience and understands best practices rather than just guessing how to train people.
In application security, there tends to be an even wider gap. I started a podcast in August 2020 called Cyber Mentoring Monday. I started it because I run #CyberMentoringMonday on Twitter, and the entire first year, every single person said, “I want to be a penetration tester,” but then I would ask them more questions because I am trying to find them a skilled professional mentor and lots of them didn’t know what AppSec was. They didn’t know what threat hunting was. They didn’t know what risk analysis was. They didn’t know that forensics or incident response existed. We would talk more and it would turn out that there is a different security focus that they’re really interested in, but they had only ever heard of penetration testing.
That was the same for me. I thought you had to be a penetration tester or a risk analyst, but there are a plethora of jobs. I started this podcast so people could figure out what types of jobs they wanted and because I really want to attract more people to our field. A big problem is there is no perfect way to enter AppSec.
Natalia: What are the biggest challenges for those in AppSec?
Tanya: The first AppSec challenge is education, with some developers not understanding how to create secure code. It’s not that they don’t want to. It’s that they don’t understand the risk. They don’t understand what they are supposed to do and a lot of them feel frustrated because they think, “I want my app to be perfect and the best ever,” and they know security is part of that, but they do not have the means to do it.
The second challenge that I see at almost every single workplace is trying to get buy-in. When I did AppSec full time, at certain places I would spend 50 percent of every day just trying to be allowed to do my job. For instance, I want this new tool, and here are the reasons why, and people would respond by saying, “That’s expensive. Developer tools are cheaper.” I would say, “I’m not a developer.” I had to learn how to communicate with management in a way I never had to do as a developer. When I was a developer, I would just say, “It’s going to be two weeks.” If they asked if I could do it faster, I would ask, “Do you want to pay overtime?” and then they would say either yes, and we would do overtime, or they would say no. There is no persuasion.
With AppSec, I had to say, “We have 20 apps. I know you want to spend a zillion dollars on hiring four penetrating testers to test our one mission-critical, super fancy app. But can we hire one for that and could we take the money and look at these legacy things that are literally on fire?” There is a lot of negotiation and persuasion that I had to learn to work in AppSec, which I was surprised about.
Natalia: What is the role of AppSec when it comes to cloud security?
Tanya: I find that everything that’s not taken becomes the AppSec person’s role because no one’s doing it and you’re freaking out about it. If you do AppSec in a company where everything is on-prem, quite often there’s an operations team and they will handle all the infrastructure, so you don’t have to. When you move to the cloud, and especially if you’re working in an org that does DevOps, you must suddenly learn cloud technology, at least the basics.
I’ve talked to many AppSec people and I’ve said, “If you’re moving to the cloud, I know that you think that you’re only in charge of the security of the software, but that’s not true anymore because of the shared responsibility model.” The shared responsibility model means that even if the cloud provider handles patches and the physical security of the data center, if you choose bad configurations, you are responsible for those. So, the first thing you need to do is check out the shared responsibility model to know what your side must do so you don’t miss super important stuff.
When we move to the cloud, understanding shared responsibility is really important and then setting out a process so you get reliable results. Ideally, every phase of the software development lifecycle has one or more security-supporting activities. If you’re using the cloud, there is a decent chance that you’re doing DevOps, in which case the developers become DevOps people. You want to talk to them about securing both development and operations. If they’re just doing development and there is a separate team doing operations, there is a security team helping the operations team but you want to make sure that they receive security assistance. It’s important for developers to understand the basics of cloud security so they don’t accidentally do something terrifying.
With the cloud, one of my favorite things is automation. I used to work for Microsoft and am an Azure fan. Azure has Security Center, which is the best and can automate a bunch of policies and check up on a lot of things for you. Learning how to use it to your advantage is important—learning which parts you want to turn on, which parts you need to budget for in the future, and which parts you’d rather have a third-party tool for. Making those decisions is important for the cloud security team and the AppSec person and then figuring out how to deploy safely and reliably into the cloud.
Keep an eye out for the second part of the interview, as Tanya Janca shares best practices on how to build an application security program and measure its success.
Elevate your security posture with Microsoft Cloud App Security and Microsoft’s Cloud Access Security Broker.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.