Introduction to application security

- [Instructor] Before starting to talk about building an application security program, let's first start by understanding what is application security? Application security today is totally different than it was years ago when I first started out in the field. Applications used to be locked in the data center on premises, and very few were exposed to the outside world. You had your normal websites that were out there, but for the most part, it wasn't as popular for consumer applications or enterprises to release all of the data under websites so people can consume them on a day-to-day basis. So, when we were securing applications 15 years ago, we were really focusing on the firewalls and the routers. We were focusing on the perimeter. We wanted to make sure that if we expose an application to the outside world that nobody could break in to get to the app servers or the database servers. And that's where you had the concept of DMZ. So, once you got through all of those layers, there wasn't as much security. We didn't spend a lot of time in the databases securing the web servers or the application servers because so much of the perimeter was focused on the outside, and that's where a lot of the attackers were focused. Also, languages did not have great support for security testing. They didn't have good ways to test them, so a lot of the testing had to be done manually, which was very time consuming. Over time, this started to change. After the e-commerce boom, customers wanted to have more options. Businesses started building websites and applications to enable business. They expected to see more data, they wanted to interact. So, more data started to be exposed to the outside world. Because of this, companies started moving to the cloud. They needed to be able to accommodate customer demands. They wanted to do it faster. And so by this very nature, the applications started to change and they started to become more interactive. All of this meant that security teams needed to adapt. What does all of this mean for security? How can we change our processes to work in this new paradigm of IT that enables the business and thus increases our attack surface while at the same time doing security quicker? Will Townsend had an article for Forbes that stated, "We have to provide robust security over the complete lifecycle of the application, and that means across development, testing, deployment, and ongoing management of the application." Our way of doing application security in the new world has to change. We could not rely on the perimeter anymore, so the perimeter itself had to shift. Security can't just be on the edge separated from the internet in a DMZ. We have to think about the environment as a whole. We have to start thinking about securing the application all of the way through. The application server, the database server, and the way that the entire application is built encoded. The entire architecture needs to be taken into context. So, the perimeter has to shift, and the protection of the data now becomes a priority. The data is not hidden inside of the data center anymore. The data is out there so that the customers can use it. And if customers can see it, attackers want to get to it. The data is out there. so the protection of the data is now the priority. And ultimately, when you put all of this together, we have to make security go faster. With many organizations moving to the cloud, it means we have to go faster. The cloud moves fast. That's its nature. There's not a Change Review Board that meets every two weeks to approve new servers going into production. New servers can be started at any time, so security has to be faster in order to keep up. We have to adapt the way that we test. We want real time feedback, not PDFs. We want the application defects where the developers work. So, there's a big focus on partnerships and on integrations. Partnerships are key. We have to partner with the dev team in order to get things done. We have to figure out how to make those relationships work, and we have to learn as a security team to work where they work. So, that's where DevSecOps comes in. DevSecOps is a combination of development, security, and operations. That's the way we can move faster. Customers want their data faster. They want updates faster. By combining these three teams, it's more efficient. It allows you to build security earlier into the lifecycle, build it into the development process of how they build applications, and then build in security early. For more information, check out my other course in how to build a DevSecOps program. Now, let's start by looking at what a normal development process looks like.