let's all come out of the darkness

Hello everyone. Svetlana Gazizova, Director of DevSecOps Process Building at Positive Technologies, is here again. I previously talked about who a secure development specialist is in the section Positive Education “Top 10 Cybersecurity Professions” (and just recently there was an article about a miracle of miracles — MLSecOps). In this article I want to focus on the role and tasks of those who build application security in companies — managers and team leads of AppSec departments.

How I Got into AppSec

People get into the industry in different ways, I'll tell you how I got there. Historically, I was responsible for the IT part of development: I was involved in application architecture and improvements — until we faced a shortage of cybersecurity competencies in the company. I began to delve into the topic, study and implement tools… and gradually realized that information security was closer to me. When I was looking for where to move, I chose the application security direction (which was not very widespread at the time, and few understood what it was and why it was needed). I started with consulting: I explained how a static analyzer works, what it does and why. Then I came to Positive Technologies, where the ML security block was added to the “appsec”, as well as research, community and other stories related to building secure development processes.

Why am I talking about building processes? It's simple – cybersecurity maturity in Russia has grown significantly in recent years: companies no longer want to do chaotic AppSec, it is important for them to think several steps ahead, to see the whole path. To get away from chaos and turn it into an effective action plan, you need an application security strategy. And this task (with an asterisk) falls on the shoulders of managers and team leaders.

If you compare the daily routine of an AppSec specialist and a team leader, it looks something like this.

A specialist solves quite clear decomposed issues: analyzes scanning results, implements a particular tool, etc. A lead in application security, however, like any manager, has strategic tasks: how to save the budget, choose the right solution, save the team, in the end. This is also important: the AppSec industry is now in high demand, and good specialists are few, they are often poached. A competent manager should organize work, training and build motivation so that his employees are interested. In addition, team leads, unlike specialists, regularly interact with other involved parties: external contractors, company management – this is an additional responsibility.

But sometimes even the most talented managers find themselves in a dead end: there are no normal frameworks, there is chaos all around, the top managers do not see the point in spending on application security. It seems that you are alone against everyone else.

The main problems faced by team leads and managers of the AppSec department:

  • lack of system and methodology – most specialists work without a clear theoretical base, relying on self-training;

  • underfunding – it is difficult for a business to allocate a budget for something that “will pay off in no time”;

  • pressure from regulators – standards are written in heavy, bureaucratic language, they are voluminous and are updated periodically, and the manager needs to not only take everything into account, but also convey it to the team in an understandable form;

  • the growth of cyber threats, while there is a shortage of qualified specialists;

  • Finally, there is a general lack of understanding of how to build a secure development process in a company and track the effectiveness of your team.

The last problem is fundamental. It is not enough to simply buy a tool and hire a person, it is important to imagine the entire process. How to develop your department, how many people to hire, what to train? And if a vulnerability is discovered, how to understand what needs to be fixed and how? How to choose a product that suits your tasks and needs? How to calculate the implementation cost and explain why it is important to allocate a budget right now?

We discuss all these issues in detail in our new course, developed jointly with Positive Education.Application Security: From Chaos to System Management“.

Application security at maximum speed

The intensive course on application security management is a kind of experiment. There is nothing like it either in our or foreign markets. Initially, we developed a course for AppSec engineers based on MIPT and in the process we realized that we can give more than technical skills in implementing tools and checking code. We can teach how to manage this process. We collected common problems that we ourselves solved several times, selected algorithms and working frameworks and laid this knowledge in the basis of the new course.

Hidden text

There are many standards for secure development, and people often choose what is closer to them. For example, adherents of the OWASP model will rely on it, and companies related to critical information infrastructure will first of all look at the regulator's requirements. We have our own framework. It contains both regulations and best practices from various methods, including foreign ones. This is a voluminous guide that describes the main steps of secure development in clear language. We formed it based on work with different customers; there were also trials, errors and bumps.

Three Branches of DevSecOps

The intensive program is designed for three days of full immersion and is built on the three pillars of DevSecOps – processes, people and resources.

  • The first day is dedicated to processes: how to build the right strategy, argue the importance of secure development for business, how to approach the choice of frameworks and tools to ensure a continuous application security pipeline in the company. The process should not stop if a developer quits, a vendor stops updating its product, or other conditions change.

  • On the second day we will talk about people — their motivation and development, communication and conflict management, interaction with top management and other parties involved. How and what to teach developers and what to learn yourself to be an effective manager and understand your employees. We will definitely touch on the issue of non-material motivation — money alone is not enough, interest is also important. If we constantly pump people with money, we will inflate a bubble in the market that will sooner or later deflate.

  • The third day is more technical and is dedicated to resourcesWe will review the market of key players and their solutions, examine the available tools in detail, analyze how to plan the infrastructure for AppSec, and develop a plan for implementing the selected technologies.

At the end, each participant will form a document – an application security strategy for several years. They will be able to implement it in their company, taking into account the current state, budget, team, etc.

How can you do all this in three days?

  • Firstly, the intensive format implies high involvement. You work in groups, you have a curator who stone-faced monitors the process. Here, as in an online lecture, you won’t be able to turn off the camera and reply to a message in Telegram. And this is the fundamental difference between our course and any current AppSec products.

  • Secondly, a community of like-minded people is formed, who actively interact during three days and additionally involve each other. We hope that after the end of the intensive, our participants will continue to communicate in alumni chats: team leaders of “appsecs” of different companies will be able to exchange cases, share experience and methods – thereby enriching the community and developing the AppSec direction in the country.

  • Thirdly, we will provide participants with a lot of useful materials: workbooks with all the notes, selections of links, labs, checklists… In essence, they will have a ready-made guide to action.

Who will benefit from this course?

  • First of all, to those who have just become a manager of secure development. He wants to hear how others made mistakes and do it right.

  • Secondly, for those who want to become an application security team leader – architects or simply “appsecs” who have decided to move along a career track.

  • However, the course will also be useful for those who have been in the role of a team leader or AppSec manager for a long time and want to learn best practices or fill some gaps. For example, they don’t understand how to grow a team (because they never had anyone under their command before), or they don’t know how to justify finances. By the way, in this article I also talk about calculating investments in safe development.

Intensive starts very soon – September 5 in Moscow. If you are interested in the topic, but for some reason you do not get to the course, watch our course with Maria Shekhovtsova performancededicated to calculating the economic efficiency of AppSec, at the Positive Hack Days 2024 festival.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *