Not All Vulnerabilities Are Created Equal

You wouldn’t be very effective if you didn’t prioritize your to-do list. Treating “prep for board meeting tomorrow” and “organize in-box” with the same level of urgency would slow you down at best, seriously impact your job performance at worst. Similarly, neglecting to prioritize your application security “to-do list” will slow your progress, or prevent it altogether. Even the best application security technology and scanning tools will become ineffective without any way to prioritize and manage test results. In my previous blog post, I outlined in general how AppSec policies need to adapt to a DevSecOps world. In this post, we dive deeper into the topic of managing test results as part of your policy. A key element of that effort is ranking vulnerabilities so that you are focused first and foremost on those that are actually increasing your risk. For instance, it’s important to distinguish between flaws that represent a remote risk and those that represent more substantial, real-world risks. In some cases, the likelihood of a vulnerability being exploited may be low, but the potential damage might be great. In other instances, the chance of exploit might be high, but the damage...
Read more

Application Security Policy: Might Need to Revisit as DevOps Emerges

I’ve worked in program management at Veracode for the past six years, and during that time, I have seen a lot of different approaches to deploying AppSec policies. Typically, the security team (CISO/CIO led) deploys an AppSec policy that applies to developers and engineers. However, with the rapid change in the ways software is developed and released, most of the security policies that were deployed a few years back are no longer acceptable by the development community. Many application security policies were built when we did not have fast, automated security tools that could be plugged into the SDLC. Now more than ever, with teams moving to DevOps and CI/CD, it is important to revisit and build new policies that work with, and not against, the developer goal of “getting good code out quickly.” Here are some items to consider when right-sizing your application security policy: Implement achievable policies at first If security is being introduced for the first time or being enforced for the first time, start off with some achievable policy standards. Don’t make a team that has never had security built into their daily cycle try to meet PCI or all...
Read more