Getting Started With Appsec for SMBs

Hey folks, it’s been a minute. Took some time off after RSA for some rejuvenation and research. Hope you’ve been well.

If you’re a product or engineering manager at a startup, you’re probably not focused everyday on security issues. However, as is life, things come up that will require your attention, regardless. Security is one of those “things”.

You can be proactive about security issues, or reactive. Of course, the latter is just de-prioritizing security. However, if you’re reading this, then we’ll assume you want to do something about  the state of your application security. Great, let’s get started!

Threat Modeling

As a busy professional, you can appreciate that we cannot do everything all at once. So we’ll have to prioritize what is at risk the most. In Threat Modeling, we take a step back and look at a system overall, understand its function, and theorize on possible attack vectors and their likelihood. In the following article, instead of walking through a threat modeling exercise with you, I will apply a typical threat model for a modern SaaS web application with approximately 10-20 engineers.

Secrets Management

One of the most critical and important aspects to manage is your secrets. First, I recommend a full audit of all your secrets. You will be surprised how many secrets you actually have in your ecosystem. Every 3rd party integration has its own secret. You may even find some devs using some of their personal access keys in production systems!

Good Secret Hygiene

Here is a list to help you improve your secrets hygiene:

• Ensure no secrets in code*

• Ensure all secrets are scoped to just a minimum set of permissions required (aka least privilege)

  • For example, do not use keys will full privileges, if all you need is a read-only key

• Use a separate secret for each service. This reduces the impact in the event a key is compromised or needs to be deleted/rotated.

  • For example, use if you have multiple applications using an SMS service, create a key for each application

• If you must have shared secrets (it’s inevitable sometimes), use a shared vault in a good password manager that has audit logging capabilities, and limit to a min number of people (2-4), including one manager. 

* Immediately rotate this secret if found

Check Your Code

There are a plethora of ways to review and test your code for vulnerabilities out there, however if you’re just starting out, let’s keep it simple for now.

Checking your code for vulnerabilities during the coding process will “shift-left” your security, improve awareness of security with your engineering team, and save you time in the long run.

In this case, we’ll start off with Static Application Security Testing (SAST). This method reviews your code for vulnerabilities and depending on how it’s configured, will limit vulnerabilities from hitting your codebase. OWASP has a list of OSS tools to choose from.

Other forms of code checking include Software composition analysis (SCA), which is an automated process that identifies the open source software in a codebase, and Dynamic Application Security Testing (DAST).

Protect Special Branches Of Code

If you have particular branches of your code that is responsible for authorization or authentication that should rarely be changed, then add special protections to prevent alteration. In Github, this can be done with a CODEOWNERS file.

Secure Coding Training

It might seem pretty basic, but educating developers on proper security is almost always needed. Writing secure code is not something often taught in depth, if at all, in schools and bootcamps. People want to do the right thing, but if they don’t know how to, then can you blame them?

There are a number of ways to train engineers aside from security training videos. These include:

• Hackathons & CTFs

• Starting a bug bounty program

• Lunch and Learns

• Book / Study Club

OWASP has a secure coding guide (https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/) and the Secure Coding Dojo (https://owasp.org/www-project-secure-coding-dojo/).

Leverage Automation

Once you have some tools and processes in place, leverage automation to make your life easier. Have code checks run automatically on push, or even better, have them as pre-commit hooks for your devs. I’m not going to sugar coat it, it take some work and lots of tuning, but the rewards will pay off in the end.