February 15 2022 | 3 min read
Educational | February 15 2022 | 3 min read
Application Security leaders often make a foundational mistake when building their AppSec programs: they think from an inside-out perspective. This leads to stale, traditional approaches that often start with legacy vulnerability scanning tools that produce excessive noise, have too many false positives, and lead to your AppSec Engineers focusing on the wrong things and spending their valuable time on unimportant or redundant issues.
Any successful cybersecurity program needs to start from an attacker’s perspective. Put another way: you need to start where attackers are going to start! While this may seem intuitively obvious, it is hard to do. When you’re focused on defense, you have a greater understanding of the scope of your security risks and all of the things that could possibly go wrong, no matter how unlikely. It’s only natural to want to focus on remediating “vulnerabilities with high CVE scores that could lead to application compromise, second-guessing, and internal finger-pointing. The mistake with this line of thinking is that it is not aligned with the true risk to the business.
What’s often overlooked as an essential concept is the difference between “known” and “unknown” security weaknesses.
Known security issues are simple. They include:
It is easy for attackers to identify and exploit these known vulnerabilities – and do so with minimal effort. Little skill is required to take advantage of known vulnerabilities and exploit code is readily available.
Unknown vulnerabilities are much more complex. Consider what it takes for an attacker to discover and exploit a zero-day vulnerability in custom code. Even with tools like Metasploit, taking advantage of a brand-new buffer overflow is non-trivial! It requires an order of magnitude more skill and security knowledge than the vast majority of would-be attackers. For this reason, attackers will always gravitate toward known weaknesses and vulnerabilities.
A cloud-native app as a “system” consists of open source libraries, multiple layers of dependencies, Infra as Code, scripts, cloud configurations, API gateway settings, and more. The custom code you write yourself is only a small portion of the application. The greatest surface area for mistakes is in the rest of the app! When AppSec leaders focus on statically analyzing their custom code as the centerpiece of their programs, they’re making a common – but critical – mistake! Legacy SAST tools drown AppSec professionals in false positives and incorrectly-prioritized alerts.
When you think from an attacker’s perspective, you realize that too many Application Security programs are focused on the wrong things. They’re so worried about the complex “unknown” risks that they don’t spend the time required to address the simpler “known” risks.
Addressing these issues requires a risk-based approach to building an application security program. You can do this in six simple steps:
Learn more about how Apiiro can help you build and scale a risk-based application security program here!