How to support developers during the creation cycle

Our recent webinar about AppSec strategies was led by our special guest, Bruno Limoni, a Cybersecurity Manager who has over 15 years of expertise in cybersecurity, leading Red Teaming, AppSec, and Advanced Tooling teams at Kavak and Mercado Libre.

During the session, Bruno shared invaluable strategies for supporting developers throughout the entire application development cycle, ensuring strong security practices are integrated at every stage.

Initial stages: Risk analysis

In the early stages of development, it’s crucial to conduct thorough risk analysis. This involves identifying potential risks based on the type of data being handled, business flows, and the deployment environment. Although developers or other stakeholders such as product and business teams may raise initial requests, being involved from the beginning is beneficial. Even if there are no specific activities beyond risk detection, it’s important to highlight these initial steps and provide support.

Threat modeling

As the project progresses into the design phase, and when there are proofs of concept (POCs), lines of code, or external solutions like Software as a Service (SaaS) being tested, it’s time to conduct threat modeling exercises. Various methodologies and frameworks can be employed during this phase to systematically identify and address potential threats.

Static analysis (SAST)

Once development is underway and there is code in a repository, different stages of security testing can begin. A classical and often automated control is static analysis (SAST). However, it’s essential to be cautious with static analysis tools due to the high number of false positives they can generate. If the team spends excessive time manually reviewing findings only to discover that the majority are false alarms, it can lead to frustration and inefficiency. Proper calibration and tuning of these tools are necessary to mitigate this issue.

Code review and dynamic testing

As the codebase grows, more dynamic analyses become feasible. This includes manual code reviews and dynamic testing before the application is released to production. Conducting these reviews and tests at this stage is ideal to catch and address vulnerabilities early, ensuring a higher security posture before the final security assessments.

Security assessments and pentests

Before going live, performing a security assessment of the application is essential. This involves a series of tests, often following a checklist or best practice methodology. The goal is to identify and fix any vulnerabilities before the application is deployed.

In contrast, penetration testing (pentesting) is a more aggressive and comprehensive approach, typically conducted when the application is already live. Pentesters use all available resources to exploit vulnerabilities, simulating real-world attacks. This type of testing aims to identify as many security issues as possible, ensuring robust protection against potential threats.

Both security assessments and pentests are necessary as they serve different purposes and provide a holistic view of the application’s security.

Bug Bounty program

After the application has been in production and has undergone various tests and "flight hours," a bug bounty program can be implemented. This involves offering the application on a platform where security researchers and ethical hackers can test it for vulnerabilities. In return, they receive rewards for their findings. A bug bounty program leverages the skills of a broader security community, providing continuous and diverse security testing.

Supporting developers throughout the development cycle requires a structured and multifaceted approach. By incorporating risk analysis, threat modeling, static and dynamic testing, security assessments, pentests, and bug bounty programs, organizations can ensure their applications are robust and secure. This comprehensive strategy not only enhances security but also fosters a collaborative environment where developers feel supported at every stage.