AppSec and Secure By Design

The US Cybersecurity and Infrastructure Security Agency (CISA) has been a leader in a global movement to promote software that is "Secure by Design". I'd like to explore the role application security (AppSec) as produced by Checkmarx has with Secure By Design.

Software design begins with requirements. It is not uncommon in the race to get into the market, that a developer either ignores the security requirements, or doesn't make the effort to even articulate the security requirements. We as an industry has learned the hard way that retrofitting security into a fundamentally flawed system is hard. It isn't necessarily impossible, but it is generally hard and less likely to provide you the same level of security had you designed the system differently.

Back to design. In general for software it the combination of building custom code along with integrating dozens of third-party components or systems into something coherent and usable by the end customer. This is a complex process, often filled with trial and error. Often you won't know if something will work until you put it together. CISA and others are trying to influence this through the Secure By Design principals:

• Take ownership of the customer security outcomes
• Embrace radical transparency and accountability
• Lead from the top

Through these principals there is hope that software developers will produce more secure software which is resilient to most cyberthreats, thus decreasing the chance of compromise and increasing the complexity and difficulty of the attack.

Having a well thought out AppSec program supports all of these principals. Reducing the threat surface of your application certainly impacts the customer security outcomes. If you have ever looked at a software-bill-of-materials you can appreciate what radical transparency looks like. At the heart of leadership is setting the priorities and security requirements for the software and the entire AppSec program.

So AppSec doesn't define the requirements or design the application, but is a critical set of tools for the developer to enable their goal of efficiently producing secure software. The world's developers are moving towards more and more automation, and AppSec tools are moving with them to enable automated testing within their existing CI/CD environment. Ideally a developer can leverage AppSec tools to automate the testing of their application security requirements.

Ideally it all starts at the beginning of the design process with the developer keeping those three Secure By Design principals in mind as they draw that first network diagram on the napkin in the airport bar. Even the best designed system will still require testing.