I love burgers. I also live in the Dallas-Fort Worth area, so was intrigued by an article in D Magazine a few years ago that caught my eye called Why Dallas is the Burger Capital of the World. What? How did I not know this?!?
And so began The Great DFW Burger Quest!
It's my tour of burger joints in the DFW Metroplex. It's a multi-year project. The pandemic set me back a little, but I'm up to 75 burger joints visited so far. Many more are on my "to do" list. I track everything on Yelp.
What does this have to do with application security? Well, there are some parallels I'd like to point out.
Building an application security program is a multi-year commitment. When an organization first dips their toe into application security, they might start with something easy like dynamic scanning of their Internet-facing web apps. It's a fine place to start, but a lot more is needed to understand your application security posture more broadly. Static analysis, software composition analysis (SCA), and manual assessments all have a place when it comes to identifying application security flaws. Implementing multiple testing techniques and automating them early in the software development process across an entire enterprise, with minimal disruption, takes both time and commitment.
At first, I assumed only burger joints would be part of The Great DFW Burger Quest. But it turns out that some of the highest rated burgers in DFW are served at local bars or family restaurants. I had to expand my quest to include these. Likewise, to mature your appsec program it would need to expand to cover not just Internet-facing web apps, but also APIs, internal applications, mobile apps, and other software that could bring risk. Secure code training for developers (or what I call The Ultimate in Shift Left) should be part of a mature appsec program as well. Instead of Yelp, you could track the growth of your program using a model such as the excellent Software Assurance Maturity Model from OWASP.
My burger quest often needs to be adjusted based on the current environment in the area. Many restaurants closed permanently due to the pandemic, including some I had planned to visit. However, I'm seeing new burger joints popping up rapidly this year. An application security program will need adjustment too. For example, recently Log4Shell, Spring4Shell, and the U.S. Cybersecurity Executive Order have highlighted a greater need for SCA, which helps uncover risks due to 3rd-party components. Organizational changes, such as a new CISO coming in, might also force adjustments to your program.
My initial burger outings were a solo activity, but now I usually have some friends join me. In the same way, a successful application security program is not a solo activity. It requires not only testing technology but also people and processes. In particular, Security and Development should be working together to build security into DevOps processes.
(This post first published as a LinkedIn article)