Application security reviews are performed to proactively discover and mitigate vulnerabilities in applications and services being developed or deployed in order to reduce risk. It includes any or all of these activities: threat modeling, in-depth secure code review and dynamic testing.
In a fast-paced and engineering-heavy organizations, these are typically non-blocking and can be seen as a security pipeline defining roles and responsibilities, scope of the review, a priority queue based on business risk profiling, expected outcomes and risk findings across the application.
We start with a strong foundation for secure design by performing a security design review focused on threat modeling to derive security requirements and test plans. This is followed by an in-depth secure code review and dynamic testing / validation.
As we progress through the application lifecycle, if secure code reviews uncover high risk code changes and vulnerabilities or penetration testing results point to exploitable findings this indicates a need to do better threat modeling.
The success of this in terms of scaling and maturity depends on three factors working in tandem: tools, processes and people. Therefore, we need to leverage a security pipeline approach for well defined structure and automation..
In this talk, we will cover:
- creating a structure for these reviews based on their scope and priority
- calibrating reviews as a team and organization
- leveraging partnerships like security champions (engineers) as key players who are not responsible for the pipeline but help move the pipeline further
- capturing key risk and remediation metrics
- building automation and tooling centered around for threat modeling in a complete security assessment