6 Application security as a service

 

This chapter covers

  • Changing the application security model from gated activities to enablement
  • Creating an environment of application security as a service
  • Learning the services that should be part of the application security as a service ecosystem
  • Closing the divide between security and engineering

What is a great way to stop getting invited to the engineering holiday party? Block an application release or hold up a build due to a found vulnerability. Historically, application security has been the team that comes in at the end of a productive coding release to show various issues with the code, deployment, libraries used, and other ways of showing how the software is not ready for prime time. This gated approach is something that has been pushed for by security for various reasons. The prime one being that the security organization is tasked with identifying, helping to reduce, and measuring the risk of the organization. In this capacity, the security team obviously wants to ensure that there are no vulnerabilities that put the organization at risk going out to production. A better approach is to create an ecosystem of security that enables the development teams to access security services along the path to production.

6.1 Managing risk during development

6.1.1 Defining and reducing risk

6.1.2 Define the application risk

6.1.3 Release-by-risk

6.2 Enablement instead of gates

6.2.1 Automate the release-by-risk

6.2.2 Removing the barriers by adding guardrails

6.3 Bridging engineering and security through services

6.3.1 The application security-as-a-service ecosystem

6.3.2 Services requested through tickets

6.3.3 Ambient application security

Summary