Are you an application security superhero? Do you fly in at the last minute to thwart evil hackers like Iron Man, or are you more of the deep thinker that prevents hacks from even happening like Professor X?
The comparison is a bit crazy, but that is where we are at these days. There is a constant battle between good and evil in the cyber world, and, in my opinion, we are just getting started.
Application Security Phase 4
Like the Marvel Cinematic Universe application security is onto phase four, it must evolve yet again.
The reason being is that the threat landscape has continued to grow. The reason for this significant growth is the changes in how software is developed, tested, and deployed (aka DevSecOps).
Because of this application, security superheroes need to become bigger badasses. Application security needs to follow DevOps, promoting the sharing of responsibilities across the development and release process while wearing a security cape and mask.
Phase 4 Application Security Superhero
There is a lot of conversation in the industry around what an application security professional’s responsibility should be.
Application Security Superheroes is a tongue-in-cheek title but titles like Application Security Architect, Site Reliability Engineer, DevSecOps Architect, Product Security Architect are becoming more and more popular. What is the common thread for all these titles? IMO it is having a broader set of responsibilities and knowledge.
Responsibilities of the Application Security Superhero
An application security superhero needs to understand all aspects of development, release, and testing for their organization’s applications. The specific types of things they need to know are as follows:
1) Understand the risks facing their company
2) Understand how their organizations CI/CD process works
3) Understand how their organization’s developers work
4) The ability to be proactive AND reactive to risk
5) Be part of the application life cycle from cradle to grave
6) Be a security evangelist and trainer for your company
7) Work with Enterprise Architecture to understand what they are building
8) Understand AST tools and how they work and integrate them into DevOps
9) Create security policies specific to the risks you face
10) Ensure security is not a roadblock but an asset
I recently read the article about the new paradigm for Cybersecurity Engineer and Site Reliability Engineering by Adewale Adebanjo who does a great job of describing the Application Security Superhero concept.
To secure your applications, you need to know everything about your applications. The days are over where you throw an AST tool over the fence for development teams to use and hope it goes well.
Application Security Superheroes need to team up with their colleagues, just like the Avengers, in other areas of their company to mitigate and respond to risk effectively. Application security is not a “me” thing but a “we” thing.
Having different skill sets is very important. To be an effective application security professional you need to be like Bruce Banner and his superhero alter ego, The Incredible Hulk.
On one hand, you need to be a brilliant scientist to solve complex application security problems, but on the other hand, you need to be a badass sometimes and SMASH the hackers in their tracks!!!
Can I get a HULK SMASH!!!