How AppSec has evolved in 2021: Reddit’s perspective
May 3, 2021
0 mins readAs organizations continue to rely on software for core business processes, application security is an ever-critical consideration. Snyk recently held a roundtable with Reddit to discuss application security in 2021.
In this post, we’ll recap the discussion between Guy Podjarny, President & Co-Founder of Snyk, and Spencer Koch, Security Wizard at Reddit. Reddit has over 600 engineers, and its security team leverages Snyk Open Source security, Snyk Container vulnerability management, Snyk Infrastructure as Code security, and the Snyk API to scale AppSec across over 1,000 repositories.
How organization size impacts AppSec
The goals of application security remain the same no matter the size of an organization:
Driving security requirements
Finding vulnerabilities before they’re exploited and preventing them happening in the future
Enriching the developer experience with security data and testing
That said, Koch believes the way AppSec is implemented will depend on the size of the organization and security team.
“I think the difference between big and small is where you end up focusing your attention on how to get the job done,” says Koch. “The job is still the same whether you’re at a large company or small startup. You have to change your mindset around the deployment of the resources you have.”
For example, smaller teams don’t have the time and resources to implement security tools that require bespoke engineering effort. Smaller organizations need to focus on picking a tool, whether it's open source or commercial, that can be rolled out quickly and managed centrally while meeting a majority of its use cases — all on limited resources.
A larger organization, on the other hand, may choose security tooling that better aligns with business requirements and myriad use cases, even if it requires more upfront and ongoing effort. Larger organizations not only have larger budgets, but they also often have layers of approvals and management that mean implementation may take months (or longer). Often, larger organizations will want to make sure they get it right the first time, even if it means it takes longer — and that makes sense! However, never underestimate the power of quickly iterating and trying something new to see if it works — all organizations are different.
Dealing with fragmented technology stacks
A key decision most organizations need to make is whether to give developers freedom to adopt any technologies they choose or impose limitations on new languages, frameworks, and more through a strict governance model. While more developer freedom may seem like a great thing, any time organizations adopt additional technologies, their tech stack can become more fragmented and increase infrastructure components and engineering overhead to maintain it.
“There’s a trend now to say AppSec is dead, but that’s not the case,” says Koch. “Company politics will still be around, and organizations will have multiple business units that want to do their own thing. So there’s still going to be the problem of fragmented tech stacks and the proliferation of competing products. AppSec engineers will be there to ensure deployed controls work like they’re supposed to, meeting overall InfoSec objectives.”
With a fragmented tech stack, many large companies lose out on economies of scale because there will always be additional overhead for developers and security engineers. For example, applying security controls could require numerous tools and processes for static analysis or code scanning to achieve compatibility with different sets of technologies. That means companies need to decide how much they want to spend to maintain non-standard tech stacks, especially when development-related functions like security create additional overhead.
Companies need to balance developers’ ability to choose their own technologies with the potential increase in overhead for application security, technical debt, and supporting infrastructure by introducing consistency and commonality of processes. Every organization has different priorities, so it’s a matter of weighing the pros and cons with the longer term in mind.
The importance of developer-friendly application security tooling
In terms of adoption, it’s crucial for developers — and other teams in charge of making the business successful — to feel like using third-party security tools helps their development process move forward smoothly and increases their quality of product. That way, they’ll choose to adopt security tooling not because the organization is mandating it, but because it’s easy, straightforward, and beneficial to use within their existing workflows.
“Snyk’s whole ethos is that we’re a developer tooling company tackling security,” says Podjarny. “The way to make developers embrace security is to put them at the center, but there still needs to be a balance to meet the requirements of application security teams as well.”
For many security teams, the key to adoption comes down to the tools being seen as enablers of quality instead of blockers. If organizations start with well-defined security best practices, they can then choose developer-friendly tooling and implement automation to make adoption throughout the organization become the path of least resistance.
The Scope of AppSec In 2021
The general consensus of the security professionals involved in the roundtable is that application security should include any areas of vulnerability related to applications — from infrastructure and cloud security to container and network configurations. That means as more technology is abstracted into software making development easier and faster, the role of AppSec teams is growing and evolving.
“The way that I’ve always structured my teams is to focus on offensive security as a capability,” Koch explains. “Rather than focusing on separate skill sets like application, infrastructure, or cloud, it makes sense from an executive perspective to bundle these together, as the underlying technologies and use within your organization continues to evolve.”
Larger enterprises with a massive amount of assets or niche technologies to secure, however, may see better results by separating these functions into smaller teams to improve depth of coverage. That said, the data from each of these areas is valuable and interdependent, so even with separate teams, the vulnerabilities often share similar patterns. Moreover the goal remains the same for each of these different functions, so it’s generally a matter of organizational structure and politics.
Since AppSec continues to evolve every year, Snyk regularly hosts webinars to gain different perspectives from security professionals within the industry. These roundtables are an opportunity for Snyk to understand the needs of application security teams and developers alike, so that the company can continue to align its products to the security needs of organizations like Reddit — and beyond.