Building Better AppSec Teams: Communications, Collaborations and Cloud - Ep 32

Kristen Bell, Senior Manager of Application Security Engineering at GuidePoint Security, is back, sharing her insights into “Building better AppSec teams: Communication, collaboration, and culture.” Two weeks ago, Bell joined the Reimagining Cyber team, Rob Aragao and Stan Wisseman, to share her perspective on “Governing a better AppSec program by empowering dev teams.” Collaboration is KeyTo build a better AppSec team, Bell explains the importance of collaboration. Many developers have a bad taste in their mouths when it comes to automation. Developing a multi-phased approach where you can share each step and mitigate any barriers to adoption (for example, many developers don’t like a lot of “noise” or false positives), can be helpful. When it comes to the actual scanning itself, Bell recommends doing a lot of work on the front end to make it run as smoothly as possible, ensuring the highest-quality results for ease of use. Additionally, she recommends integrating a ticketing system like JIRA to provide a continuous feedback loop. This way, you can pull metrics to show return on investment. Lastly, Bell recommends getting buy-in from application developers and owners. With skin in the game and a seat at the table, they’ll have influence and investment in the security program’s direction. Communicate, communicate, communicateCreating a streamlined and organized communications approach when building out your AppSec team is crucial. It is critical to have one centralized location to house all information for your security team, whether it’s standards or blueprints. “It's super important that if you're building a portal, or a Wiki, or this one-stop-shop, for the developers, to have these self-service options, they need to know it exists,” Bell says. Reiterating it in multiple ways (an All Hands call, a newsletter, an e-mail) is critical. You have to remind people 13 times before they’ll remember something.Get out into the communityThere's OWASP, ISACA, (ISC)2, ISSA and lots of different kinds of AppSec and cybersecurity related organizationsthat team members can go and be active in in their local communities. I would also encourage people on the security team, if you go to a conference, invited the good AppSec-related speakers in to speak to the team or the developers. They usually are looking for opportunities to engage and are open to do it.AppSec in the CloudBuilding a Cloud-centric AppSec team has its challenges. Bell recommends: •Separation of duties: Developers don’t typically have access to production and don’t make changes in production. However, when it comes to the Cloud, that all changes. By creating different profiles and having people commit to certain tasks allows teams to divide and conquer. •Threat modeling: Bell recommends running threat models, testing different scenarios and looking at data flows and trust boundaries to help document repeatable processes and confirming adherence to compliance requirements (like geolocation of data).•Testing automation: DAST services allow you to now test GUI-less technologies to understand Have you tried any of these tips when building out your AppSec team? Do you have any to add to Bell’s suggestions? Let us know in the comments.

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via [email protected]