Modern Application Development (MAD) is an approach to developing software applications using cloud-native technologies. The main idea is to leverage newer, emerging tools like K8s to build adaptive applications that are easy to scale, easy to monitor, and easy to manage.
But what about security? Should we try to secure MAD applications only using the OWASP top 10 list as a guide, or should we explore additional options? And if we adopt a comprehensive security solution, how can we be sure that developers will stick with it for the long term?
In an ideal world, security and compliance solutions would be included at every stage of the application development lifecycle. This means that every software component is secured by default and implemented using industry best practices.
MAD applications (especially microservices) help us to create a clear division of tasks and individually secure and protectable components. However, this also increases the likelihood of misconfigurations. It’s up to developers and security professionals to get on the right track, improve their basic security skills, and continually monitor for new vulnerabilities.
As MAD applications increase in complexity, let’s examine the current landscape of best practices for secure development. Let’s start with the OWASP Top 10.
Today, the most well-known list of top security threats is the OWASP Top 10. OWASP is a non-profit organization dedicated to promoting safe software practices. Over the years they have published a list of top 10 web application security risks based on information from the open community. This was last updated in 2011.
The OWASP Top 10 are based on proven security threats, are well documented and easy to reproduce. MAD applications can be particularly vulnerable to these vulnerabilities because the use of microservices and container orchestration systems add complexity to the system architecture. This means there are far more opportunities for misconfiguration and authentication errors.
There is another reason why the OWASP Top 10 is important. Mitigation controls can be automated, scripted, and integrated with web application firewalls, security automation tools, and CI/CD pipelines. Integrating OWASP security controls into the code pipeline makes it easier to identify and avoid many common security issues. There are many traditional tools to help, including Configuration Drift Detectors, IaC checks, Dependency Scanners, Policy Checkers, and Integrity Checkers.
The practice of secure application development is not solely dominated by OWASP. In fact, there are competing guides and standards that encourage the use of best practices for modern secure application development. The real question is: why aren’t they used as much?
To answer this question, let’s take a look at two such models: BSIMM and SAMM.
BSIMM (Building Security In Maturity Model) is a security framework that gives organizations practical insights into their security posture compared to other organizations. BSIMM doesn’t really tell you what to do. Instead, you learn what other organizations are doing. You should use BSIMM if you want to integrate an established security model into your own business domain.
BSIMM collects information from around 128 companies across multiple business categories. The core of the BSIMM framework consists of 122 tasks divided into 12 practices organized into four domains:
In practice, the SecOps team assesses the organization’s security posture and assigns points to activities. From this, they create a scorecard that they can use to determine if they want to include additional security controls based on the scores. They typically refine the scorecard based on specific areas of interest. Some practices will be more important than others; For example, PII obligations, security standards, and good network security are always important considerations.
BSIMM is free and can serve as a good reference point when implementing security audits in an organization. However, it’s non-standard, which makes it a little less attractive than other options.
SAMM (Software Assurance Maturity Model) is an OWASP security framework project that has a lot in common with BSIMM. Like BSIMM, organizations can use it to measure and assess their security posture.
The core pillars of SAMM consist of:
Figure: The Structure of SAMM (source: https://owaspsamm.org/about/)
OWASP provides some valuable tools to help you manage the maturity models (SAMM or BSIMM) you use. In order to be able to assess them correctly in practice, however, you still need specialist knowledge. Below we explain why these methods are not as popular as the OWASP Top 10.
The main reason why these methods are not widely adopted is because of convenience and practicality. From our point of view, they are too comprehensive and it simply requires too much effort. For example, imagine that your company wants to adopt BSIMM as a framework for software maturity. You would need to evaluate which of the 122 tasks are relevant to your organization and then attempt to monitor your security score based on those tasks. Your organization would also need to invest heavily in training, hiring the right security professionals, choosing the right tools, and making sure the to-do list is followed. That takes a lot of effort just to understand and integrate a framework that essentially just tells you what everyone else is doing (and by implication that you should be doing it too).
It is therefore more convenient to adopt the OWASP Top 10 as a single standard, based on real incidents, with better tools, and considering a variety of attacks. Does this mean your organization should not consider BSIMM or SAMM? The answer depends primarily on your software assurance model and the specific outcomes you want to achieve (e.g., audit readiness, support of critical systems, or holistic security goals).
The problem with these security frameworks is that they tend to be overly complex, with almost unmanageable expectations about the balance between security and usability.
It can make sense to use these security frameworks in certain scenarios when trying to achieve certification status. For example, Checkmarx KICS has achieved CIS Level 2 certification. Organizations wishing to earn similar certifications would need to follow a set of rules and assessment criteria in order to receive the appropriate seal of approval.
The two security frameworks discussed above have the benefit of being free to use and can save time you would spend researching what everyone else is doing.
In this blog we have briefly explained the OWASP Top 10 as well as BSIMM and SAMM, two alternative open source security frameworks for modern secure application development (and any kind of software). Start by adopting the top 10 OWASP security best practices. Checkmarx SAST is the industry-leading tool to help you capitalize on this list by integrating checks into your CI/CD pipeline.
Developers also need to be educated on the latest best practices for developing modern secure applications in order to write secure, standards-compliant software. Checkmarx Codebashing is a training platform dedicated to educating developers on the fundamentals of secure coding. OWASP Top 10 Protections and Developer Training should be essential parts of your modern application development workflows.
