“…is part of this balanced breakfast…”
This is the claim of many sugary cereals aimed directly at children. It is also the claim of many vendors in the software security market.
Selling cereal targeting children is an interesting proposition. To make the adults that ultimately have to buy the cereal feel better, the cereal in question is shown as a component of a larger breakfast offering composed of milk, fruit, toast, and some form of juice, with the suggestion that the cereal is part of a “complete” or “balanced” breakfast.
The goal here is to mollify fears that the cereal your child is requesting is the equivalent of crushing cookies and placing them in a bowl. By portraying the cereal as part of a balanced breakfast, the vendor is hoping you buy the intimation the cereal is an equal player in creating a healthy balance. Of course, the reality is that the balance is due largely to the milk, fruit, bread, and juice – the cereal actually brings down the nutritional score of the other assembled parts. Read at face value, the vendor is saying that the cereal on its own does not represent a balanced breakfast.
I use this metaphor because many testing vendors sell you a tool – their tool – as your answer to software security. If you carefully analyze their words, what you will see is that their tool is the bowl of sugary cereal bringing down your nutrition value. Like cereal ads, vendors speak to benefits of the milk, fruits, breads, and juice, but it is not their tool that delivers those benefits.
The truth is that, aside from tools, there are many types of application security testing (AST) that can be used to determine the vulnerabilities in software. Static (SAST) and dynamic (DAST) testing are the most established and widely used, but there are others. An accepted truth is that different types of tests will find different things. Business logic testing adds human security expertise to the process, finding vulnerabilities that automated scans may miss. So real accuracy – the balanced breakfast – is found in a combination of tools and human expertise.
Back to the cereal. A rational adult would immediately recognize that the sugary cereal in the middle is not pulling proportionate weight in the balanced breakfast equation. However, you have a persistent child who really, really wants that cereal. Furthermore, making a balanced breakfast is a tall order on a hectic morning. You also recognize that even if you offered your child the balanced breakfast, they would likely gobble down the cereal and pass on the other parts.
So you pour the cereal, checking the box to make sure your child has had at least a part of a complete breakfast. The child appears to function at a high level of energy, so you perceive no risk.
It is the same with those chartered with software security. It is easier to believe the siren’s song of the vendor with the fabulous easy button, one perfect test that finds all of your problems and equips your team to eliminate the risks. One tool that magically applies to every situation. But an effective software security initiative does not pour out of a single box.
Most organizations have far more applications in their portfolio than they can count. The risks associated with those applications vary, so the depth of testing for each will vary. Organizations used to be able to get away with only testing high risk applications, but those days are gone. There are no "one-size-fits-all" solutions, so there is no one product that can solve every problem.
There is an even more profound problem because half of all vulnerabilities are actually found in the architecture and design and are not coding bugs. To find these issues, the organization must employ activities such as architecture analysis and threat modeling.
There’s more. You will also need training to educate the developers how to integrate security into their software development lifecycle (SDLC). You will likely want to put structure around your SSI activities. You will want metrics that show management progress and return on your software security spend.
Like I said: there is no easy button. No neat box to rip open and pour out good software security. Your organization must make the commitment to taking your software security initiative (SSI) – a balanced breakfast – seriously.
An organization must consider multiple testing methods to really manage its risk. When choosing a vendor, consider the breadth of its services. If you decide that you want to use a vendor that has a narrow scope of offerings, you need to resist falling for their sugary cereal story and embrace the notion that the organization will need to interact with more than one vendor to balance the breakfast, which is fine. Having multiple vendors can be a positive thing, and a little healthy competition between your vendors keeps them on their toes, which benefits you.
So where do you go from here? Apply some good, old-fashioned cynicism to the “easy button” claims and recognize that a balanced software security breakfast does have multiple components. But don’t just take my word for it. Information like the Building Security In Maturity Model (BSIMM) is a thorough study of the software security initiatives of 78 companies, so you can see real-world data on what organizations that have committed to a complete breakfast are doing. You will find that their approaches may vary, but the consistent element is that they employ multiple tests and scans.
In other words, pass the fruit, bread, and juice, please.
Related Reading: Better Health, Better Habits: Improving Your Security Diets