Skip to main content

Introducing Application Security Requirements and Threat Management (ASRTM)

By Rohit Sethi

The Problem: Cyber Security Breaches and Application Security Vulnerabilities

Cyber security breaches are disproportionately caused by software vulnerabilities. From recent outbreaks like Petya and WannaCry to the infamous worms of the 1980s, 90s and early 2000s, like Morris and Code Red — all had their roots in programming errors that enabled system exploitation. Many malware, Internet of Things (IoT), and Point of Sale (PoS) terminal attacks stem from insecure programming practices. Moreover, every year the Verizon Data Breach Incident Report cites web applications as a leading source of breaches.

At the same time, development teams are moving faster than ever to build applications. Agile methodologies are becoming the new norm and organizations are quickly jumping aboard the DevOps train.

We need to secure the ever-accelerating process of developing software. In order to seamlessly integrate security into DevOps, software development teams are increasingly relying exclusively on automated testing to build secure software: static analysis security testing (SAST), dynamic analysis security testing (DAST) and interactive application security testing (IAST).

This trend is alarming. Automated testing usually misses at least half of all vulnerabilities. We cannot absolve ourselves of the responsibility to build security in from the start, yet at the same time we cannot significantly slow down software development.

The Solution: Application Security Requirements and Threat Management

Thankfully, a new methodology is emerging that allows software development teams to build security in and move quickly. As Gartner identified it in the 2017 “Hype Cycle for Application Security,” it’s called Application Security Requirements and Threat Management (ASRTM). ASRTM complements but does not replace SAST, DAST and IAST. Coupled with a solid foundation of security awareness training, ASRTM enables teams to systematically build and maintain secure software.

ASRTM solutions have four major capabilities:

  1. Threat modeling: The ability to generate a specific list of relevant security threats for software based on minimal user input. ASRTM solutions eschew slow & complicated data flow diagrams and trust boundaries and instead rely on basic user input to generate relevant threats.
  2. Requirements generation: ASRTM solutions generate security requirements / controls based that prevent the threats it modeled. These requirements may include code samples, doing away with the need to maintain large, static secure programming guides.
  3. ALM integration: Many modern development teams make extensive use of Application Lifecycle Management (ALM) tools like JIRA. In order to minimize impact on development teams, the requirements should be a part of the application / product backlog just like functional user stories and other tickets. Effective ASRTM solutions should be able to track the status of requirements being completed in the ALM solution and provide a single dashboard for security teams.
  4. Testing integration and aggregation: SAST, DAST and IAST tools all play a critical role in partially ensuring the security of software. ASRTM solutions integrate with these solutions and aggregate the results from disparate tools to demonstrate which requirements have been completed and which ones haven’t. Moreover, they provide instructions on how to manually test or build custom automated tests to verify requirements not covered by scanners.

Critically, ASRTM solutions will allow you to holistically measure how secure your applications are, rather than how many vulnerabilities a test or tool found by providing information on:

  • What threats & requirements an application has
  • Which of those requirements are implemented
  • Which of those requirements are verified through testing

Don’t rely on “number of vulnerabilities found” to measure the effectiveness of your application security, like the vast majority of companies do. With ASRTM, you can adopt a more holistic picture.

Next Steps to Ensure Application Security

Make ASRTM a mandatory part of your application security and/or DevSecOps strategy. Educate your team about the need for ASRTM and why you can’t rely on automated testing alone. Get the word out by telling others about ASRTM!

When you’re ready, you can evaluate specific ASRTM solutions like SD Elements, Irius Risk and the OWASP Knowledge Framework to see which one is the best fit for your organization.

For further reading, take a look at two reports that speak to the benefits of shifting security left in the secure development life cycle and developing a robust application security program grounded in ASRTM. Download “Gap Analysis of Code Scanners: A Deeper Dive into the Problem of False Negatives” here and “Managing Application Security: Insights from Financial Institutions” here.

Rohit Sethi is the Chief Operations Officer at Security Compass. He is on Twitter @rksethi.