• Daria Chadwick

Stop Using OWASP For Your AppSec Program Blueprint


The OWASP 2021 Top 10 list has been heavily adopted by many security vendors as a marketing angle to boost their products and services, claiming to detect vulnerabilities and help mitigate risk as a result. Many application security programs are following in a similar fashion, using the OWASP Top 10 as a blueprint for their program, rather than using it as a prompt for how business and security groups should be tackling cybersecurity.


In the words of OWASP themselves: "The OWASP Top Ten is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications."


The OWASP list is merely a way to highlight the most common risks that developers and businesses face when creating and deploying web applications. It should not be the blueprint for how the AppSec program or even how API Remediation programs should be run.


One of the difficulties we've seen with AppSec teams using the OWASP Top 10 as a standard is that it documents application security risks but not necessarily issues that are easily tested. (For example, insecure design is beyond the scope of most forms of testing.)


So what should companies be doing instead?


They need to be thinking bigger. Martin Knobloch says that ideally, companies have to start doing a better job at training their developers, security professionals, and business leaders in being more risk-aware. Essentially, they have to work to drive more risk-aware cultures within their organization.


Changing any culture can be difficult, but especially ones as set in their ways like development. Developers operate in an Agile world. They have deadlines to meet and can't afford to slow down for anyone. From a security perspective, they want AppSec loopholes addressed immediately. Balancing the need for agility and security therefore becomes a real challenge. Similar to the rise of data and the push toward data-driven decision-making, there's a concerted drive to make everyone in the organization more data aware. We continuously see conversations, trainings, and directives encouraging everyone to firmly and clearly see data the same way based on an organizations objectives. But is that really what needs to happen with AppSec?


With how quickly we now know that things can change - and with how quickly things will likely continue to change in the future - do we really have the time or the resources to develop full-fledged training programs in order to get everyone involved up to speed and make everyone a cultural fit, only for it to potentially change again?With how fast threats and attacks on vulnerabilities are occurring, do we have the time to be as slow, methodical, and calculated as we'd like to be?


Or, should we simply try and welcome the idea of composable thinking and apply it to AppSec?


Composable Thinking in AppSecOps


Composable thinking, coined by Gartner, is the means to master the risk of accelerating change and to create new business value.


When departments within an organization have to intersect for greater organizational goals, it makes sense to implement command and control structures that can embody the necessary culture, think in the necessary composable fashion, and act as a clear intermediary in order to get the job done.


Read: Why Ad-Hoc Approaches to API Remediation Just Won't Cut It


Leading C-Suite executives recognize that business conditions often change, from customer demands to financial models, and empower the teams that are closest to the action to respond and re-form to those new conditions.


For CISOs and those involved in API Security and Remediation, they should be able to guide and implement policy that backs executive-backed business objectives. Reducing security risk is critical to ensure the business is not exposed and that business can run as usual.


In addition to guiding and implementing policy, these security leaders should also be promoting a high-trust culture that encourages employees to independently make decisions that align with these new conditions. This is why having technology that can support individuals in their day-to-day decision-making that simultaneously aligns with executive directives is so critical.


"Having technology that can support individuals in their day-to-day decision-making that simultaneously aligns with greater executive directives is critical."


Establishing a composable culture may not be a perfect solution (there's no such thing) but does working to maintain proper security levels really mean that everyone involved in the development, security, and business space has to be completely and culturally in-tune to the AppSecOps problem? Or can we all be granted some leniency here?


Individual teams all have their own metrics to adhere to and their own management to please, so it can be difficult to get everyone on the same page and see eye to eye. Ultimately, the best way to please everyone is by leaving everyone alone to get on with it. But this isn't an option, and AppSec does require a degree of change.


We know the best way to implement change is to make that change as simple and as un-intrusive as possible. This is where technology can be of incredible use.


"The best way to implement change is to make that change as simple and as un-intrusive as possible. This is where technology can be of incredible use."


There is an opportunity to leverage modern analytics platforms too provide AppSec with more clarity. When technology can sit on top of an existing set of tools and pull the necessary data for decision-making, it provide the insight and information needed to make decisions on how to prioritize vulnerability fixes and better allocate resources.

Working to establish true clarity and transparency should be at the core of AppSec programs, not the OWASP Top 10. Requirements as part of that blueprint should include:


  • Providing stakeholders with a complete picture of the current state of their processes

  • Providing a means to track progress against the organization’s goals

  • Help the organization allocate and prioritize resources so that critical vulnerabilities are addressed first

  • Help isolate and track Shadow APIs

  • Provide details into specific areas of concern, how they are being addressed, and by whom

  • Implement change management techniques to support the constant shift of employees, roles, and departments

  • Provide the destination for all related content that can be used by development organizations to maximize the reuse of existing work


Although no technology can help solve the OWASP Top 10 directly, technology can still be used to support the change that's required to maintain and improve security awareness and standards, including those listed by OWASP and beyond. It can be used to help bring transparency and clarity into the AppSec process, and it can start working immediately to help reduce risk to the organization.


Read next:


Addressing API Vulnerabilities in 2022: Part I

Addressing API Vulnerabilities in 2022: Part II

Addressing API Vulnerabilities in 2022: Part III

 

Introducing ReactFirst: Security for the new API Economy and the pace of modern business. ReactFirst is an award-winning, comprehensive API threat remediation solution that goes beyond technology to help minimize the threat caused by API security vulnerabilities.


ReactFirst helps bring together a combination of capabilities - a program, technology, and team of experts - to appropriately address the risk caused by API vulnerabilities. Instead of merely identifying problems, it tracks the organization's ability to resolve them, providing a command and control structure that delivers the necessary insights and accountability to see each vulnerability move through the remediation process.


"The surge in API traffic in recent years has made API security one of the top security concerns for enterprise CISOs. As a result, it represents one of the fastest-growing markets within cybersecurity. While API security vendors have an edge in offering API protection technology today, they will face increasing competition from more comprehensive offerings... We believe winners in API security will be companies capable of expanding their API security efforts to something more broad." - Umesh Padval, Venture Partner, Thomvest Ventures


This program is backed by executive sponsorship, supported by cross-industry experts, and enabled by state-of-the-art technology. ReactFirst works as the perfect accompaniment to your existing API strategy, providing the transparency, oversight, and control into the API Remediation process your organization needs as the risk around API vulnerabilities grows.


Talk to us to see if the ReactFirst is a fit for you, and whether it help boost your API Remediation efforts into one you can trust: https://www.reactfirst.io/contact