403 Unauthorized
Let’s talk about the state of Application Security
Alright. It’s been a looong while. Not much has changed since my last post. Still toiling away as the sole appsec engineer at \company\, still catching more misses than wins. I’ve come to accept that this specific position in this specific company was never set up to be successful, or that success wouldn’t be as simple as pushing a few code commits, or collaborating with the engineering org to get shit done. Nope. That would be far too easy given how my career has progressed over the past decade.
A major contributing issue I’ve identified seems to be the turnstile that is leadership. In the past 18 months, leadership throughout the company has seen significant changeover, or simply outright attrition. Budgeting has been trimmed of all excess fat. Engineering itself has been cut down to half the size it was, and the resources that still exist are performing amazingly well given every one person is producing the output of at least two warm bodies. Everyone is oversubscribed, and the seemingly semi-annual restructuring has a lot of people feeling burnt out and trapped.
Secondly, for a short stint infosec was in the same org as engineering, and that pretty well confused the hell out of a lot of people. We’re not there anymore, but the belief that infosec is still under the control of engineering has persisted. This has made us getting things done exceptionally hard, especially since budget allowances became somewhat muddy as did ownership of tooling. Hopefully you see how this can be properly problematic for appsec – security tooling that impacts engineering efforts lands in a grey area.
Regardless, I don’t get budget anyways. I don’t get the resources I need to be effective, and as such engineering leaders are of the opinion that security doesn’t do anything. When security does do something, they don’t do it right. Sure makes a guy feel good about themselves when they’re putting in 10+ hour days and sacrificing their mental and physical health while watching their childrens’ childhoods blow by with nothing more than short glimpses of it.
Appsec is arguably the most difficult security job I know of. Relationships have to be cultivated so that the people that are supposed to do the implementation work, will do the work. Much of the hands on keyboard efforts are supposed to be delegated out to other people – and you have to take their word that they will do the thing. When they don’t, and you miss goals you defined per their commitments, you look like you’re ineffective. So, you go to do the hands on keyboard work yourself, and instantly people are pissed off because you didn’t get their blessing to do your job.
It’s bad. The state of application security is bad.
It’s not all lost, though
I defined plans and architected this program almost a full two years ago, and I’m confident that once we overcome the hurt feelings and the animosity towards infosec controlling the narrative regarding the true risk profile we’re currently in, in regards to engineering, that the program will be one of the most robust in the industry – not just for a company of our scale.
I think we have the right people listening now that will help shift the focus away frmo me being the enemy to what I’m really trying to do. That is, help people be better at what they do while protecting the company from showing up in the next big headline. Given our position, and the products we’re releasing, if we were to suffer a breach due to a vulnerability in our software all several hundred of us will be looking for new jobs. Job hunting in this climate? I would rather have my toenails removed with pliers.
For the first time since budget cuts started last year, I am finally hearing whispers that I might get budget for tooling. I can run SAST with some awesome open source tooling just fine, but SAST is a massive time waste without DAST to really focus efforts. My hope is early next year, I’ll finally get this cornerstone software and really be able to get shit moving.
I had pushback against DAST last year because, “the current security posture is terrible. We need to fix that before we add more tooling.” Whatever, we can’t fix the posture if we don’t know what to fix, and I’m now of the mind that I’ll do security things outside of engineering’s view and filter tickets through the vulnerability management program our awesome TPM stood up. There’s no need to have engineers learn a new tool, and if there’s going to be so much pushback against the shift left effort, that’s fine. I’m all for concurrency, and frankly rather engineers not be looking at security tooling anyways.