Professional Documents
Culture Documents
COD102 Challenges in Application Security
COD102 Challenges in Application Security
Table of Contents
Course Overview and Objectives ............................................................................................................................... 3
Security Challenges ....................................................................................................................................................... 5
Security Culture .............................................................................................................................................................. 6
Developer Education ..................................................................................................................................................... 8
Building Security into the Process ............................................................................................................................. 9
Shifting Security Left ................................................................................................................................................... 10
Everything as Code ...................................................................................................................................................... 12
Security is Never Done ............................................................................................................................................... 13
Stakeholder Buy In ....................................................................................................................................................... 15
Third-Party and Open-Source Software ................................................................................................................. 17
Knowledge Check......................................................................................................................................................... 18
Course Summary .......................................................................................................................................................... 19
Thank You ..................................................................................................................................................................... 20
Page 1 of 20
COD 102 – Challenges in Application Security
Narration
On screen text
COD 102
Challenges in Application Security
Page 2 of 20
COD 102 – Challenges in Application Security
Narration
This course is designed for NICE Workforce roles Software Developer (SP-DEV-001) and Secure Software
Assessor (SP-DEV-002). The objectives of this course align with OWASP Top 10 Web Application Security
Risks and the NIST Cybersecurity Framework.
On successful completion of this course, you should have the knowledge and skills required to build a
culture of security that includes education and security awareness, tightly integrate security early into
the software development lifecycle, work with stakeholders to get the necessary support and buy in, and
know the unique risks associated with using third-party and open-source applications.
On screen text
Designed for the Software Developer (SP-DEV-001) and Secure Software Assessor (SP-DEV-002) roles.
Objectives align with OWASP Top 10 Web Application Security Risks and the NIST Cybersecurity
Framework.
On successful completion of this course, you should have the knowledge and skills required to:
• Build a culture of security that includes education and security awareness
Page 3 of 20
COD 102 – Challenges in Application Security
Page 4 of 20
COD 102 – Challenges in Application Security
Security Challenges
Narration
Web application security is the practice of protecting web applications from external threats throughout
the application lifecycle by using available security hardware, software, tools, techniques, and best
practices. A web application may consist of code running on a single web server or a more complex
onsite and multi-cloud deployment with multiple databases and connects to various external services.
As complexity and attack surface grow, so does the difficulty in keeping things secure.
Securing a web application is a great task but making security an intrinsic part of your organization’s
development lifecycle is just as challenging. Here we will look at some of the common challenges that,
when not addressed, can easily derail any security program.
On screen text
Security Challenges
Web application security is the practice of protecting web applications from external threats
Hardware
Software
Tools
Techniques
Best Practices
Page 5 of 20
COD 102 – Challenges in Application Security
Security Culture
Narration
The first challenge is building a culture of security within your entire organization. One of the most
important elements for security success is a pervasive culture of security awareness. This requires
developing the knowledge, attitude, and behavior of not only developers and IT staff but, to some
extent, everyone in the organization.
Everyone in the organization should not only understand security risks, but actively participate and
collaborate in improving security.
Building a security culture is not difficult but does require planning and persistence. You can start by
considering the following ideas.
Assess the current situation so you know where you are starting from.
Improve awareness throughout the organization through creative outreach and advocacy programs,
including lessons learned from past successes or security incidents.
Provide the necessary training and resources accessible to the entire organization.
Build a security community where employees can communicate and collaborate.
On screen text
Page 6 of 20
COD 102 – Challenges in Application Security
Security Culture
Page 7 of 20
COD 102 – Challenges in Application Security
Developer Education
Narration
Building security expertise in an organization is a challenge that requires constant attention. While a
security team is a vital resource, developers must also be aware of security risks to avoid these issues in
the first place.
Training is a critical component of effective security and is a fundamental part of the security process.
Nevertheless, developer education does not eliminate the need for dedicated security experts.
In addition to training, other resources for developers include the OWASP Top 10 Web Application
Security Risks and the OWASP Application Security Verification Standard.
On screen text
Developer Education
Page 8 of 20
COD 102 – Challenges in Application Security
Narration
Developers juggle many priorities and usually do not specialize in security. Therefore, it is less likely to
meet security goals without a well-thought-out plan. Your application will always be less secure if you
do not integrate security into all phases of application development.
The place to start is with a proper threat model that can help you identify objectives and
countermeasures. This allows you to best understand where to allocate your time and resources.
With that, you can build security into your development process. Keep in mind that not every team has
the same needs so your processes must be flexible enough to adapt to different scenarios.
On screen text
Your application will always be less secure if you do not integrate security into all phases of application
development
Page 9 of 20
COD 102 – Challenges in Application Security
Narration
Security is always cheaper and requires less effort earlier in the development stage. The earlier you can
address security issues, the better. This is called shifting security left, where you move most security
checks to earlier in the development, to the design, coding, and commit stages. The term shifting left
comes from the DevOps world but applies to any development methodology.
Shifting left helps to build a security culture, changes the mindset of software developers, and makes it
harder to postpone security checks due to deadline pressures or budget constraints. If you make the
right design decisions with security in mind early, it will have a cascading, positive impact on the rest of
your development process.
Shifting left is not just giving developers a mandate to write more secure code, but it involves providing
them the proper tooling, support, and other resources. It also requires identifying opportunities for
automation that can reduce developer workload.
On screen text
Security is always cheaper and requires less effort earlier in the development stage
DESIGN
Page 10 of 20
COD 102 – Challenges in Application Security
SHIFT LEFT
PRODUCTION
DEPLOYMENT
TESTING
COMMIT
DEVELOPMENT
Requires providing developers the proper tooling, support, and other resources
Page 11 of 20
COD 102 – Challenges in Application Security
Everything as Code
Narration
Another way to shift security left is to do everything as code.
Strategies such as infrastructure as code, configuration as code, security as code, and others allow you
to move security decisions to earlier stages of development and ensure that issues are addressed before
they become a problem. Doing everything as code helps ensure consistency, compliance, and
reproducibility. The greatest benefit of everything as code is that now infrastructure, configuration,
policies, compliance, and everything else can go through the same security checks, testing, and change
control as regular code.
On screen text
Everything as Code
Another way to shift security left is to do everything as code
• Infrastructure as Code (IaC)
• Configuration as Code (CaC)
• Security as Code (SaC)
Security Checks | Testing | Change Control
Page 12 of 20
COD 102 – Challenges in Application Security
Narration
Security is never done; it’s not even done for now. Security is not only a process that requires
continuous effort, but it is also a moving target. Because the threat landscape constantly changes,
security must be addressed and constantly re-addressed.
Security is not a journey with a destination, but rather a cycle of ever-improving processes, techniques,
and key best practices that reduce your exposure to an attacker.
Information security has no silver bullets and no one tool that will cover all your needs. It requires a
systematic and evolving approach that involves actively monitoring issues, addressing weaknesses, and
employing all available resources, whether they are automated or human.
But that does not mean there is never success. The goal here is all those small successes—but even
failures provide opportunities to learn and improve. Understanding the nature of security and
embracing those daily wins is your objective.
On screen text
Page 13 of 20
COD 102 – Challenges in Application Security
PROCESSES
TECHNIQUES
BEST PRACTICES
• Active monitoring
• Addressing weaknesses
• Employing available resources
The goal here is all those small successes—but even failures provide opportunities to learn and improve
Page 14 of 20
COD 102 – Challenges in Application Security
Stakeholder Buy In
Narration
Security will always be a challenge if key executives do not share security goals. These executives are
integral to strategic alignment, sponsorship across the organization, and delivering essential budgets
and other resources. They can also contribute vital knowledge and perspectives not available to
development teams.
Some tips for getting stakeholder buy-in are:
Find the right stakeholders who have some interest in the goals of different stages of development.
Be clear about the security goals and their value in a manner that coordinates with stakeholder goals.
Engage stakeholders, share progress, and solicit feedback at different stages of development.
Be honest and share both successes and failures.
On screen text
Stakeholder Buy In
Security will always be a challenge if key executives do not share security goals
Page 15 of 20
COD 102 – Challenges in Application Security
Page 16 of 20
COD 102 – Challenges in Application Security
Narration
One of the greatest challenges for IT staff is not your own software, but the many third-party open-
source applications and libraries it might use. The challenge is largely due to the hidden nature of these
application components.
Addressing security in these components may require manual code reviews, testing, and actively
updating software. Keeping up with these components requires creating and maintaining a thorough
inventory of all third-party components and with that, integrating dependency-checking software into
the build process.
On screen text
Page 17 of 20
COD 102 – Challenges in Application Security
Knowledge Check
Narration
From what you have learned in this course, which category would a developer IDE add-in that checks for
security flaws fall under?
On screen text
Knowledge Check
From what you have learned in this course, which category would a developer IDE add-in that checks for
security flaws fall under?
Page 18 of 20
COD 102 – Challenges in Application Security
Course Summary
Narration
In this course, you learned about some of the challenges associated with integrating security and
software development.
Topics discussed during this course included building a culture of security that includes education and
security awareness, tightly integrating security early into the software development lifecycle, working
with stakeholders to get the necessary support and buy in, and knowing the unique risks associated
with using third-party and open-source applications.
On screen text
Course Summary
In this course, you learned about some of the challenges associated with integrating security and
software development.
Included in the topics discussed were:
• Building a culture of security that includes education and security awareness
• Tightly integrating security early into the software development lifecycle
• Working with stakeholders to get the necessary support and buy in
• Knowing the unique risks associated with using third-party and open-source applications
Page 19 of 20
COD 102 – Challenges in Application Security
Thank You
Narration
Thank You
Page 20 of 20