A Modern Approach to Application & Cloud Security
This document is a collaborative document that aims to include the thoughts of modern appsec leaders
We wrote this document with industry leaders to focus on how to implement application & cloud security in the modern organization
the book is a collection of methodologies from the practitioners
Who helped us creating this report
The current state of application security is that we do not have enough qualified individuals, with relevant training and experience, to do all of the work that we need doingTanya Janca
Because most breaches can be traced back to code and we have the data to show this, it’s clear that security is a non-functional requirement for good code and a question of code quality. The only way to improve the quality of that code is to ensure that developers know what good looks like (through awareness and education) and that they are empowered (through tooling and processes) to produce code that meets the mark.Grant Ongers
It would not be hard to argue that AppSec is the most difficult part of infosec today. Security needs to get out of our organizational silos and be proactive, helpful partners to the Application development teams who are in the midst of navigating a generational change in SDLC process and architecture. Ensuring that we have an awareness of how, where, and what attackers are doing to apps in production as well as having a clear bug identification and remediation strategy are both fundamental to building an effective defensive strategy that both development and security teams can carry outAndrew Peterson
“The key to building secure software is knowledge” Even the most automated security pipelines rely on someone to interpret the results and take proper action, which boils down to security knowledge.Dr. Philippe De Ryck
Vandana is a seasoned security professional with experience ranging from application security to infrastructure and now dealing with Product Security. She has been Keynote speaker / Speaker / Trainer at various public events ranging from Global OWASP AppSec events to BlackHat events to regional events like BSides events in India. She is part of the OWASP Global board of directors. She also works in various communities towards diversity initiatives InfosecGirls, WoSecVandana Verma
Nicole Becher is currently the Director of Information Security & Risk Management for S&P Global Platts, a leading provider of energy and commodities information and benchmark price assessments in the physical commodity markets. In this role, she works with both technology and business leadership to ensure security is built into the strategic plans of the organization, especially as new technology is deployed.Nicole Becher
Chris Sellards has a Doctor of Science in Cybersecurity from Capitol Technology University. His dissertation was a quantitative study focused on DevSecOps. He has 24 years of experience in IT, over 20 years in information security, and 15 years working with application security. He has built AppSec programs in the medical, financial services, and insurance industries. He has developed the strategy driving AppSec programs aligned with business security requirements (both for in-house dev teams and outsourced) and has done the hands-on work implementing automated SAST into multiple DevOps pipelines and analyzed findings with developers to identify false positives, tuning queries, setting up incremental scans, and integrating output with tracking tools. He currently serves as Director of Security Architecture & Engineering at The Argo Group and as an Adjunct Professor at the University of Texas at San Antonio.Chris Sell
Francesco is an Executive, Public Speaker, out of the box thinker. Francesco is the CEO of AppSec Phoenix a cybersecurity unicorn start-up revolutionizing the way organizations do vulnerability management and Managing director NSC42 Ltd a UK based cybersecurity consultancy. As an executive, he loves to stay close to the technology but to keep it simple.Francesco Cipollone
Why we came together to write this report
Application security is a growing concern for boards and organisations. We’ve seen a rise in focus on
application security as more and more elements in the organisation is becoming code-driven.
According to a recent survey carried out on C-suite users, a total of 53% of respondents indicated
“cybercrime and data breaches” are the number one concern for cybersecurity. [IBM Study]
So why criminals (not a hacker) attack an organisation? Well mostly for financial reason, even though
there are exceptions, (see later in the report).
Verizon’s Data Breach Investigations Report (DBIR) finds that 86% of data breaches are financially
motivated—up 15% over the previous year. In contrast, espionage—the second-highest motive—declined
from 2018 to 2020.
What was our mission
With more code, and more vulnerabilities being disclosed we decided to put the energy together to create a modern book for DevSecop Practitioners and Security Specialist
The book focus on data
breaches statistics and how they are linked to application security and further dive into the potential
methodologies (the HOW) and solution (the WHAT).