An application security team job role is the security of software applications throughout their lifecycle. The challenge is the complexity of building software and priority of software to be released quickly without hindering productivity. Where to start? These three areas should be the first areas to focus on and mature as time passes by.
Start with the security requirements and design review, security along with developers, architects, and project managers make sure security is considered at the start. Review the application design, solution architecture, and security requirements to identify potential risks and suggest appropriate security controls. This is also a good time to include secure coding standards and guidelines for the developer to consider following. Designs and security requirements vary with each organisation and its culture, this is something to prepare in advance of supporting any software development project.
Secure Code Review, is where the application security team or developers with guidance, review the source code of applications to identify security vulnerabilities or poor coding practices. Particularly common vulnerabilities such as SQL injection, and anything aligned to OWASP. Reviewing the code early means developers can update code based on recommendations to improve the security posture, at a time they are assigned to the project and not after where the cost can be significantly more.
Finally, vulnerability assessments and penetration testing, which are strictly speaking two separate activities. The application security team can perform penetration testing of applications later in the development lifecycle to identify potential security weaknesses. Both developers and application security team members can perform a variety of vulnerability scanning activities throughout the lifecycle, a blended approach is ideal and can cover areas each team may not have visibility of. These are not all the activities to perform in application security, still a lot of work, but significant security benefits can be found with these activities where resources are limited.