I recently had the opportunity to talk with Robert Lemos for his article “Application Security and Your Career: 5 Key Areas to Focus On” about the new skills required for application security and quality assurance teams. He included a couple of my comments in the article, and this blog post expands on those themes based on what we’ve seen from Denim Group’s work with organizations modernizing their security teams in the face of Digital Transformation initiatives.
Changes for Application Security Teams
Trends Driving Change in the Industry
So-called Digital Transformation initiatives are continuing to gain momentum in upper-mid-market firms and large enterprises. [See the Denim Group whitepaper “Security the Other Side of Digital Transformation” for more background on this topic.] Organizations are moving away from monolithic application development toward cloud-native development. This means that applications are being built from microservices that run in containers that are hosted in the cloud and that these application rely on other cloud-native services like managed databases, message queues, and other higher-level building blocks.
What Works and What Doesn’t Produce the Intended Results
What doesn’t work? The same stuff that hasn’t been working for a long time still doesn’t work – annual or quarterly “pen tests” still can’t keep up with the pace of development and provide no semblance of a feedback loop that development teams can use to improve. What else doesn’t work? A lot of existing application security tools don’t work. Or at least they provide only a narrow view into the security of a modern cloud-native application’s security posture. As applications have moved from monoliths to microservices and as they’ve started relying on containers and cloud services there are far more factors that roll up into the security of a modern application. Most testing tools provide specific types of analysis that can find specific types of flaws in specific constructs within the overall application, but overall do a horrible job of characterizing the overall security of these modern applications. [See presentation slides from “The A’s, B’s, and Four C’s of Testing Cloud-Native Applications” for more thoughts in this area.] We are doing some work in ThreadFix to give organizations better tools for grokking the security risks to their cloud-native applications.
What does work? Starting with a threat model. Or at least an “architectural bill of materials” – what is actually in this application we are shipping and what is required to make it run? The concept of a “software bill of materials” has been gaining in popularity over the past year or two. Most specifically in the government space but also more broadly in commercial industry. The idea is to know what open source components are included in software that you are shipping. An architectural bill of materials widens the aperture to look at the system as a whole – what are all the components parts of whatever “application” you are looking at and for each of those parts, what software is included and what servers and services are required to make it “go?” This is a required starting point if you want to make any meaningful assertions about the security state of a cloud-native application. Once you know the components of your application and how they fit together you can start to do security testing for the individual components and characterize the results in the context of how all the parts fit together.
What to Do to Strengthen Application Security Teams
Application Security teams need to catch up with how DevOps teams have evolved their practices and expanded their toolsets. This starts with growing their knowledge and capabilities in two primary areas:
- Technical knowledge of the new constructs that are used in cloud-native applications such as APIs, containers, cloud servers, and cloud services and how to perform security and configuration testing for these constructs.
- Architectural knowledge of how the pieces of cloud-native applications fit together
Changes for Quality Assurance Teams
What Skills are Application Security and QA Professionals Expected to Have to Evolve
Traditional quality assurance is dead and the world is now owned by Software Development Engineers in Test – SDETs for short. Scripting and automation have been a growing part of organizations’ QA strategies for years, but cloud-native require significant testing automation to provide any level of coverage and assurance. For QA, this automated testing has moved to Continuous Integration/Continuous Delivery (CI/CD) pipelines. Unit testing and integration testing are now performed via automation as part of these automated pipelines, so QA team members need to have the programming or scripting skills to craft and maintain these test suites and the administration skills to wire them into automation frameworks like Jenkins or Bamboo.
For application security teams, some testing is starting to move into CI/CD pipelines, so they now need to understand the pipeline automation frameworks. In addition, they also need to be able to configure and optimize the behavior of their application security toolsets – SAST, DAST, IAST, and SCA. Application security teams also need to familiarize themselves with an expanded set of tool types. While the traditional xAST and SCA tools are still critical for securing cloud-native applications, application security team members now also need to understand container security scanning tools such as Twistlock and Aqua as well as cloud environment security configuration tools such as ScoutSuite and Dome9.
Are There Skills That Are Not as Highly Valued?
Manual QA testing skills are decreasing in value as the industry shifts to a much greater focus on automation. Manual application testing and code review skills still remain very valuable.
Where Can Application Security and QA Professionals Turn To Brush Up On Their Skills
There are a number of freely-available resources that can get teams started. The cloud providers have general training materials for their offerings as well as security-specific documentation and training:
In addition, there are free and relatively low cost courses on Docker, Kubernetes, and other important topics on MOOCs such as Udemy and Coursera. Also OWASP also provides some relevant freely-available resources such as their API Security Project Top 10.