When you start working as an application security engineer, you'll expect to find straightforward tasks to do. But this is not the case because each company has its vision and strategies to handle data security, which can let us infer that every organization's security maturity may differ from one to another.
Viewing data breaches and cyber incidents all the time proves that no one out there has a mature cyber security program.
If you are already working in this field, I imagine that you sometimes feel that you're achieving nothing and you are more invisible inside the organization. The bigest challenge I see is how to increase your visibility and have more transparency with your manager and the rest of your co-workers.
In this article, I'd like to share what I've learned while working in this field.
Before jumping into security, you should know the product you are supporting inside out. If you don't understand what's behind the scene, you can't be expected to find vulnerabilities and flaws.
How to do that?
- Read the documentation.
- Ask questions, and don't be shy or arrogant.
- Shadowing can sometimes help to accelerate the learning process.
Processes & procedures provide a way to understand:
- What needs to be done and why?
- How do those processes need to be achieved, who performs them, what is the purpose?
Ask for these documents, in the beginning to avoid asking unnecessary questions in the future.
Keep in mind that your contribution will make you more visible, and it's a good sign that you understand how things are working inside.
I usually create a test plan before beginning my journey in finding vulnerabilities and flaws. To do that, ask your self few questions like:
- Are you following the proper process?
- What are you testing (determine the scope)?
- Do you have all the resources you need to perform this testing?
- Is there any timeframe I need to respect to deliver my report?
- Who is the audience (C-level executives, software engineers, etc.)?
When you get relevant responses to these questions, start diving into the SDLC to understand the workflow and see how you fit in because you should be part of the development lifecycle(design, requirements, etc.). Thus you can integrate security in each stage (read this Agile Application Security book and thank me later ;).
If you are involved in the early stage development phase, consider using threat modeling to help your team to quantify risks and vulnerabilities
When you start working with tools like SAST, IAST, DAST, SCA, etc., find a way to integrate these tools in the build cycle / continuous integration, so you'll be able to check your source code for known vulnerabilities in case of new commits.
The results you get from these tools require human hands to review and validate the reported issues. You need to use a vulnerability management system to maintain product and application information, triage vulnerabilities, and push findings to systems like JIRA and Slack. e.g.:
- IBM Security QRadar.
- AlienVault USM (from AT&T Cybersecurity).
- Acunetix by Invicti.
- Qualys Cloud Platform.
- InsightVM (Nexpose).
Use a standard (OWASP, NIST, OSSTM, etc.)
Some companies prefer to work with third-party Pentesting companies to get a second validation and excellent report to show to the auditors ;). So you may be invited to attend some meetings to share your experience and help the external testers to determine the critical assets, etc.
...There are still many things to talk about; I will edit this article when I have more time.
If you want to succeed in this job, consider working collaboratively with the rest of the team.
You can reach me out on LinkedIn if you have questions @Bour Abdelhadi