August 15, 2022
In the era of mobile communication, application security is a priority that developers simply can’t ignore, if they want to avoid losing money (a LOT of money) and trust from their customers.
Therefore, every software company must ensure the user’s sensitive data and privacy, as these are the number one targets for hackers who are always testing new ways to bypass even the best security apps for tablets and mobile devices.
Security Compass is an award-winning provider of cybersecurity solutions, and in this interview their Chief Product Officer, Trevor Young, we will get their best tips to build a secure piece of software.
Read on to learn the top practices that will help you and your dev team create more secure applications and avoid data breaches that can damage your business and your customers.
Please describe the story behind Security Compass: How did it all start, and how has it evolved so far?
Security Compass, a leading provider of cybersecurity solutions, was founded in 2004 by Nish Bhalla. The company experienced transformative growth under its founder’s leadership and vision to work towards a world where we can all trust technology. Propelled by their mission to help customers manage cybersecurity risk without slowing down their business, the company secured growth equity funding from FTV Capital, a sector-focused growth equity investment firm, in 2020. To capitalize on the market opportunities presented by this partnership, Security Compass appointed Rohit Sethi as the new CEO. Sethi, formerly COO and Security Compass’ first hire almost 13 years earlier, has been an integral part of the organization and the creation of SD Elements. Its flagship product, SD Elements, helps organizations accelerate software time to market and reduce cyber risks by taking an automated, developer-centric approach to threat modeling, secure development, and compliance. In 2021, the company divested its Advisory branch to Kroll to become a focused software company.
Today, Security Compass is a leader in application security that enables organizations to shift left and build secure applications by design, integrated directly with existing DevSecOps tools and workflows. To better understand the benefits, costs, and risks associated with an investment in SD Elements, Security Compass commissioned Forrester Consulting to interview four decision-makers with direct experience using the platform. Forrester aggregated the interviewees’ experiences for this study and combined the results into a single composite organization. The decision-maker interviews and financial analysis found that a composite organization experiences benefits of $2.86 million over three years versus costs of $663,000, adding up to a net present value (NPV) of $2.20 million and an ROI of 332%. Security Compass is the trusted solution provider to leading financial and technology organizations, the US Department of Defense, government agencies, and renowned global brands across multiple industries.
How has the pandemic affected your business, customers, and industry in general?
Like most companies during the pandemic, the shift to fully remote working for close to 2 years presented a lot of challenges. As a tech company we already had very flexible remote work policies, with a handful of employees based throughout North America but COVID really pushed it to the limits. Some of the bigger challenges included ‘zoom fatigue’ (being on camera and in meetings constantly), juggling the parental responsibilities with kids and partners all being at home for prolonged periods, and overcoming anxieties with the risk of COVID itself and the effects of isolation for long periods. From an industry perspective, Cybersecurity became front and centre with so many industries relying more heavily on software tools and technology to support their core business. It really increased the attack surface for many organizations and increased the risk of security breaches or hacks. At the same time, challenges with the supply chains and economic slowdowns really hit some industries hard (travel, hospitality and manufacturing are examples) while other industries experienced incredible growth ( like e-commerce, gaming and digital communications). All things considered, I feel that Security Compass weathered the storm and we’re now in a strong position to grow our products and support organizations who are struggling to secure their products.
What are the most common application security threats?
This is a great question and one that the industry in general has done a really good job of tracking. The best source of data we can use to answer this question is the OWASP Top 10 list. OWASP (Open Web Application Security Project) is a community that works to improve the security of software through its community-led open source software projects, chapters worldwide with tens of thousands of members, and by hosting local and global conferences. The OWASP Top 10 is a document that represents a broad consensus about the most critical security risks to web applications. You can view the full list (that was last updated in 2021), but the top vulnerabilities identified include broken access control, cryptographic failures, injection, misconfigured security or old/outdated components. What’s really interesting are the new items that made the list in 2021, including insecure design, software and data integrity failures or server side request forgery. The data is based on contributions from a variety of sources, including security vendors and consultancies, bug bounties, and self reported contributions from companies around the world. SD Elements includes the OWASP top 10 list, including detailed description of the threats, educational content to understand it plus controls, and countermeasures to prevent the top threats.
Why is application security so hard?
There are many ways to answer this question, and it’s usually more nuanced depending on the industry and type of application you are building. But to generalize, it’s hard on both a technical level as well as a business level.
At the business level, securing your applications is typically seen as an after-thought and companies tend to be reactive as opposed to proactive. This is because companies are primarily focused on growth, which is often dependent on new products and features getting to market quickly. Introducing requirements to ensure security or compliance of software applications can often slow down development of features tied to business growth. This doesn’t apply to all industries, but the general effect is that businesses often under-invest in application security teams have little incentive to make it a priority. In the business sense, it’s hard to make the decision to invest in something that, by design, isn’t seen as adding value, and is known to traditionally slow down product delivery.
At the technical level, application security is hard because the body of knowledge is so fast and moves so quickly, and security practitioners are expected to be on top of everything! If you compare it to a more specific technology like mobile application development, that is just one category of applications, with a subset of software and hardware. Technology categories span everything from APIs and Data Storage to Cloud services and Container Management. Security applies to all of those, so the breadth of knowledge is massive. On top of that, application security experts have to be reactive to unknown attacks coming from a variety of malicious sources at any given time. In contrast to other application technology categories where teams plan, design and prepare for new releases and collaborate openly on innovation. Collaboration is also typically based on structure and rules or regulations that ensure parties play nice together. Cyber attackers don’t tend to be transparent and certainly don’t play by the rules.
On a positive note, we see more collaboration across companies and nations and businesses are starting to understand that application security needs to be an embedded and continuous part of their product development lifecycle, which is creating more investments and greater awareness of application security threats and countermeasures to reduce business risk.
Can you suggest your favorite security testing tools?
Security testing is certainly important with tools like Veracode and Checkmarx providing well regarded solutions. Security Compass takes a proactive approach to application security which reduces the number of security vulnerabilities discovered by scanners which reduces software time to market and allows security teams to focus their efforts on the most impactful areas.
What are the types of security testing everyone should do?
I’m going to respectfully change your question slightly to be ‘what are the types of security practices everyone should do?’). Testing is absolutely one of them, but I believe that if you’re only testing for vulnerabilities after you’ve written or deployed code then you may already be too late. I like to break application security best practices into design, development and testing. The way you phrased the question is actually telling, because the trend I’ve observed in the industry is that many organizations only consider security as part of the testing stage, or a gate to pass before releasing an application. Ideally, security (and compliance) should be considered as early as the design and architecture stage. Even if the development team is only asking simple questions like ‘What Am I Building?’ and ‘What Could Go Wrong?’ before they write a single line of code. The other best practice that teams can adopt is regular training and education on secure and defensive development. Training that is geared specifically for Development and DevOps teams that includes practical advice that is applicable to their technology stack is ideal. During the development stage, it’s important that the team has very clear requirements that outline how they need to build their application to ensure that it meets an organization’s security, risk and compliance policies. Compliance officers, Product Managers and Security Architects often have to collaborate here to translate complex requirements into user stories and sample solutions that development and devops teams can understand.
Lastly, if those requirements include acceptance criteria, then you can follow-up with testing that specifically checks whether known vulnerabilities have been remediated. Development teams often view these added tasks as a burden that slows them down, and something that really helps them get over that hurdle is automating as much of the process as possible so it makes it really easy for them to build secure applications. At Security Compass, we provide products that include training and education, threat modeling to ensure secure design, secure coding requirements, sample solutions, integrations with a variety of security testing tools and robust API’s that make it easy to automatically embed best practices into existing development pipelines.
What are your best tips to develop a secure app?
I would say my biggest tip would be to follow some of the best practices mentioned above. For teams that have not done this in the past and are just learning, keep things as simple as possible to start and gradually add more to your development practices.
I really like the 4 questions that the Threat Modeling Manifesto calls out, that help teams think about secure design right from the beginning:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
This is a really great way to introduce teams to secure design and development. Once they are used to asking these regularly during their development process, you can start to integrate development tools that automatically answer some of these questions for you and better understand where the biggest risks are and focus your efforts on those.