Security Champions, Shift-Left Solutions and Vulnerability Disclosure Programs: A guide to democratizing AppSec and enhancing security quality for services

In an era where the demand for cyber security talent is growing faster than companies can hire and the shift to remote work is introducing new security threats, methods that can augment an organization’s security throughout the Software Development Life Cycle (SDLC) aren’t a “nice to have” — they are essential.

At the recent OWASP 2022 Global AppSec APAC Conference, three of Rakuten’s cyber security professionals contributed topics on the theme of AppSec democratization, highlighting approaches any organization can take to enhance the quality of their services’ security.

Illustration: The Software Development Life Cycle (SDLC)
Illustration: The Software Development Life Cycle (SDLC)

Democratizing AppSec – Part I: What a Security Champions program looks like nine years strong and growing

Alex Olsen, Secure Development CoE Manager at Rakuten Group.
Alex Olsen, Secure Development CoE Manager at Rakuten Group.

A Security Champions program consists of members from the development team(s) who act as an extension of the security team in their role as Security Champions. Security Champions help promote and maintain security awareness and practices — and actively look for risks and security issues in the organization.

Alex Olsen, Secure Development CoE Manager, Rakuten Group, led a talk focusing on the preparation phase of the SDLC. At the conference, Olsen covered several key questions that should be considered before starting a Security Champions program:

  1. What value do security governance and Security Champion empowerment activities bring to an organization?
  2. What are the factors to consider in terms of scope, cost and effort?
  3. What has gone well? What type of activities did not add value?

Rakuten found that it needed to create an extension of its security function to build, empower and keep a culture that values security. A key part of launching the company’s Security Champions program has been its focus on security training, with a key goal being to help teams “shift-left” security in the SDLC.

Olsen presented the Security Champion program timeline of new ideas, adjustments, successes and failures. The audience in turn gained valuable insights from the lessons learned — lessons that can be used to launch or improve their own Security Champion initiatives.

“The success of the Security Champions program is having an embedded security culture across the wider organization. For the program to be sustainable, however, the benefit of the activities must outweigh the effort and cost.”

Alex Olsen, Secure Development CoE Manager, Rakuten Group

Democratizing AppSec – Part II: Creating a self-service “shift-left” solution

Goktug Serez, security engineer at Rakuten Group.
Goktug Serez, security engineer at Rakuten Group.

In the traditional SDLC model, security testing only happens just before release. As a result, when critical security issues are found, they may be more costly to fix and even pose a risk of delaying a release. Shift-left refers to testing earlier in the SDLC during the development phase. By doing so, security issues can be found and fixed sooner, thus mitigating the risk of a delayed release and improving overall efficiency.

Focusing on the implementation phase of the SDLC, Goktug Serez, security engineer, Rakuten Group, presented a practical demo on how DevOps engineers can integrate a self-service security scanner solution within their team’s existing CI/CD pipelines.

The security team developed a standalone container with pre-configured pipelines, including two scan jobs for both SAST and SCA analysis and a simple API that can be shipped to development teams. This allows the engineers to detect and remediate vulnerabilities during development (the implementation phase of the SDLC), which also reduces the application-level attack surface.

“With a ‘shift-left’ security approach, development teams can reduce the time and budget spent on remediating vulnerabilities by using security scanners to detect them earlier in the SDLC. If you wait until the verification or release phase, it may not only be costly, it also comes with a risk of delaying the release date.”

Goktug Serez, security engineer, Rakuten Group

Enhancing Service Security Quality: Building relationships with external researchers

Akitsugu Ito, IT security engineer at Rakuten Group.
Akitsugu Ito, IT security engineer at Rakuten Group.

The role of security in the release phase is a continuous cycle of testing, upgrading, patching and maintenance to ensure there are no critical vulnerabilities in the systems. Akitsugu Ito, IT security engineer, Rakuten Group, introduced the benefits of leveraging the power of external researchers, which also helps mitigate the cyber security skills shortage challenge.

Ito supplied an overview of the pros and cons for using Vulnerability Disclosure Programs (VDP) and Bug Bounty programs, before going into detail on how Rakuten introduced VDP through a crowdsource security testing platform.

“Organizations should provide a clear method for researchers to securely report vulnerabilities.”

Akitsugu Ito, IT security engineer, Rakuten Group
The value external researchers provide to SDLC security risk mitigation.
The value external researchers provide to SDLC security risk mitigation.

In launching its own VDP, Rakuten has demonstrated its commitment to service security quality by encouraging collaboration with external researchers in support of the continuous maintenance process during the release phase of the SDLC.

In light of the evolving global cyber threat landscape, enterprises should consider AppSec democratization to overcome the challenges brought on by the global cyber resource gap. By empowering development teams and providing a platform for collaboration with external researchers, a company can ensure its security practices remain efficient and its service security quality high.

Tags
Show More
Back to top button