This concept was introduced to me by Tanya Janca now of https://wehackpurple.com/ at 2018 at RSA San Francisco.
What do we want to enable our developers with as appsec professionals?
D1. Coaching in the IDE with click to fix guidance for common organisation specific security controls - don't give a dev a problem without a solution
D2. High Signal low noise helpful LOW FRICTION cybersecurity controls in the Continuous Integration and Continuous Deployment pipeline that run fast on every build
What do we need as appsec professionals in order to make this happen?
A1 - analytics - how big is the code base? have we got coverage of it? Have we got visibility of all the repos ? have we got visibility of the changes in the code base?
A2 - security analytics - what potential security vulnerabilities are in the code base?
A3 - process to triage and work through the backlog of potential vulnerabilities to find the flaws that really make a material impact to the security posture of the application
A solution to this is:
- linting in the IDE for the top 5 to top 10 organisation specific flaws with click to fix remediation
- quality assured organisation specific small accurate checks in the CI/CD pipeline that run every build that run fast in less than 2 minutes. If it's fast high signal and low noise the developers won't need to find a way around it
- a parrallel security analytics pipeline that uses SAST technology/s to scan ALL the code in the repos on a less frequent basis (say nightly or weekly) that takes multiple minutes to hours to run.
- a backlog of triaged potential issues to work through from the parallel security analytics pipeline output to confirm and to build the click to fix linting and main pipeline burn down to block checks
I propose we add onto this concept all the slow but good and full of false positive stuff like:
- dynamic scanning of APIs for unauthenticated endpoints and IDORs