Saturday 1 October 2016

Do you have an AppSec team?

(from Software Quality book)

Let's be clear. If part of your InfoSec team you don't have a team of highly skilled professionals who understand AppSec (Application Security), who can program better than most of your developers, and who will be totally hireable by your dev team, then you don't have an AppSec team.

An InfoSec team is also very important to perform this type of work, but if you don't have an AppSec team you simply don't know if your applications are secure or not.
What you want is an AppSec team that is keen to write security code, find vulnerabilities, commit security assessments, review threat models, and work with security champions across the company.
  • AppSec is about:
    • code, apps,
    • CI,
    • secure coding standards,
    • threat models,
    • securing frameworks,
    • managing code dependencies,
    • QA,
    • testing,
    • fuzzing,
    • dev environments,
    • DevOps
  • InfoSec is about:
    • Networks, Firewalls,
    • Server security,
    • Anti-virus,
    • IDS, Logging,
    • NOC,
    • Security Policies,
    • end-user security,
    • mobile devices,
    • AD/Ldap management,
    • user provisioning,
    • DevOps
There are some overlaps (like in DevOps), but in most cases they are very separate domains. AppSec is in the developer domain. Infosec is everything else :)