I enjoy fly fishing, but I’m not that good at it. It’s not my full-time sport, nor my day job, so when I go out for some “fun” it can be a real ordeal. I see others on the river that clearly know what they are doing and they are catching fish left and right. Sometimes I hire a guide and they find the right spots where the fish are, help me with my casting technique, fly selection, etc. And my results are much better.
Is software security really any different?
There are so many tools, languages, threats, complex development techniques, and so few experts. How is a startup or small business going to succeed without a guide? It’s a total shot in the dark and can be really frustrating!
Modern AppSec Survival
In a recent blog post, we covered some modern app sec survival tips and the value of a “guide” or VAR. A Value Added Reseller(VAR)/consultancy is an independent organization with expertise in the services (guidance) they provide, the various tools (fly’s, rods) they have expertise in and know well, and they (should) have security experts that know where the tools excel and where manual techniques are necessary (spots where the fish are and where they are not). Are you going it alone or using a guide?
Good guidance is so important
A good consultancy/VAR can help evaluate your current environment, techniques, threats, and tooling in place, identifying areas that are lacking and areas where you are doing well. They know the tool vendors and know which tools perform better than others in today’s complex environments, and are well acquainted in modern development practices. They employ security experts that can deploy the tools correctly and efficiently in your environment, identify areas of your code that the tools can’t traverse, and suggest appropriate methods to review those areas, to ensure you are shipping as secure a code as required.
Not all Rods are the same - nor are scanners!
Take security tools for instance – run any Dynamic Application Scanning Tool (DAST) against a simple web page and they’ll all find the same results. But, run those same tools against a modern and complex website, and only one or two will excel at enumerating all the potential vulnerabilities and interrogating the Application Programming Interface (API). And, even the best of the best typically can’t find everything, like in the business logic, complex APIs, and other parts of the code they can’t see or crawl. A good VAR will know these shortcomings and steer you away from an inadequate scanning tool, while helping to identify the right mix of tools and techniques for your needs.
Modern software development is powerful…and dangerous
Pretty much every software development environment is using in-house or 3rd party APIs. Cloud environments are full of them – they interface with other software and services. One bad API can spoil the lot and leave a gaping hole for an attacker to exploit. There are a ton of API scanners on the market. Which one is appropriate for your environment(s)? The vendor sales rep might tell you their scanner is the best. Is it? How would you know? An independent VAR works for you – the customer – and they look at your environment holistically and will make an independent recommendation on the most effective and appropriate API scanner.
Back on the river
Switching back to fly fishing – a great independent fly shop will have a variety of rods and reels, a choice of waders and boots, and a wide selection of flys to meet your specific needs. They will share their expertise and knowledge freely and they will also have great guides with knowledge of the local waters. Sure, you can go out and pick a spot on the river and try fishing alone – but you will most likely be frustrated. A bad day on the river is one thing, a bad day with your web application can have serious consequences. In my experience, going with a guide is well worth the investment, and the same holds true when it comes to application security activities!
True Positives isn’t a fly shop! But we have a hundred years of application security expertise, and free consultation, and we can help you get outfitted with the right tools, and automation, and provide expert guidance throughout your software development lifecycle.
True Positives (T+) is an AppSec consultancy specializing in automated solutions, manual testing services, and assurance program overwatch. We serve security teams and toolmakers alike to help the entire industry shift left.
We are AppSec experts with 100+ years of experience, advising Boeing, Cisco, Intel and Microsoft, and others. We provide our expertise, insight, and solutions to businesses without demanding enterprise-level fees. When you work with us, you get the best protection at the best rates.