Security as Control, Composition, or Context
First, let me say thanks for visiting the DryRun Security blog! In this blog post, I discuss the various approaches the industry has taken to secure software and where we see the industry moving.
I spent the better part of my career between security and engineering teams, attempting to do devops while building cloud services for our customers. Getting it right wasn’t easy, and I often got it wrong. Coordination, communication, compliance, consultants, and coding. It’s all hard. (Not the alliteration; the work itself is hard.) Often the solutions we try don’t deliver what they promise, developers feel ostracized, and we realize that finding metrics to show progress is a bit of a proof-texting exercise.
When building at scale for customers, whether an enterprise or startup, it’s good to realize that security isn’t a solved thing or a single binary event of being secure or insecure. In the past, we've seen security as a control mechanism, where developers are often slowed down and forced to use tools they don't understand, like DAST and SAST. We've also seen the rise of composition, or Software Composition Analysis (SCA), which has helped us think about the components our applications use. However, I believe the best approach for modern applications is context - a concept called Contextual Security Analysis. We’ll get into Contextual Security Analysis a little later, but I wanted you to know where we are heading.
Ok, I think that’s enough foreword; let's dive in and explore these approaches and why Contextual Security Analysis is the way forward. (Foreword and forward… maybe this is a good spot to warn you to expect this type of horrible wordplay on this blog. 😂)
Security as Control
“Security as Control” is more than the tautological statement it appears on the surface.
In the early days of application security, the focus was primarily on control. Developers had to follow strict rules and use mandated tools, such as Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST). While these tools can be useful in some cases, they often slow down development and force developers to run scanners or tools they may not fully understand. As a result, security becomes a bottleneck, increases cycle time, and incentivizes developers to make batching decisions.
This approach also tends to create an "us versus them" mentality, with security teams imposing restrictions on developers who are just trying to deliver features and functionality. Consequently, developers may disengage from the security process, leading to further communication breakdown and group collaboration. A classic devops silo problem.
Alternatively, some security organizations foster healthy relationships with their developers and even institute a “Security Champion” program. While this is better, it’s still a variation on the theme. It relies on distributing the same security tooling built for control (DAST/SAST), but the primary audience is the developer that completed security champion school. This takes steps to solve team collaboration problems, but the results are varied across the industry regarding efficacy.
Security as Composition
The rise of Software Composition Analysis (SCA) has been a significant improvement over the control-based approach. SCA allows developers to reason critically about their applications' components, whether it's open-source libraries, third-party APIs, or other software dependencies. By understanding what components are used and how they are integrated, developers can better identify potential vulnerabilities and assess the overall security posture of their applications.
SCA has helped developers make more informed decisions about the components they include in their applications, leading to more secure software. However, it still does not address the root of the problem: understanding the context in which the application operates and how it interacts with various components, data, and services.
Security as Context: Introducing Contextual Security Analysis
Enter Contextual Security Analysis, a new approach to application security that focuses on understanding what an application does, what parts are sensitive, and how changes to the application may impact its security posture. This approach is ideal for modern applications, which are often distributed, microservices-based, and rely heavily on APIs and third-party components.
Contextual Security Analysis allows developers to reason about the security implications of their decisions within the context of the entire application. By understanding the relationships between components, data, and services, developers can make more informed decisions about security, leading to more secure software.
Here are some of the key benefits of Contextual Security Analysis:
- Better decision-making: By understanding the context in which an application operates, developers can make better decisions about security. They can prioritize protecting sensitive data and services, identify potential vulnerabilities, and evaluate the security implications of changes to the application.
- Improved collaboration: Contextual Security Analysis encourages developers and security teams to collaborate, sharing knowledge and insights about the application's context. This collaboration leads to more secure software and fosters a culture of shared responsibility for security.
- Greater agility: With a context-based approach, developers can quickly assess the security implications of changes to the application, allowing them to iterate and innovate more rapidly. This agility is critical for modern applications that adapt quickly to changing market conditions and customer needs.
- Increased visibility: Contextual Security Analysis provides a holistic view of an application's security posture, enabling developers and security teams to move from the binary view of secure or not secure and have a visual representation of how changes impact the system from routing and codepaths to functions and syntax.
In future posts will get into the details of how Contextual Security Analysis and where to start applying the principles within the practice inside your organization. Stay tuned!
In Summary
Traditional views on application security have evolved from being seen as a control mechanism, which often hinders development, to a composition perspective, where we assess the components our applications use. Yet, both approaches fail to provide a holistic view of application security. The future lies in understanding the context – the essence of what our application does, what parts are sensitive or even brittle, patterns and anti-patterns, and a wide range of other useful data about code changes that help provide a window into how those changes might impact its security. This is what we call Contextual Security Analysis, a perspective that not only makes sense for modern, distributed applications but also fosters improved decision-making, collaboration, agility, and visibility.
Find out more about DryRun Security
Are you interested in learning more about Contextual Security Analysis?
Join our list to get access to the product, and by signing up, you'll receive insights delivered directly to your inbox, helping you better understand your application's context and make more informed security decisions.