Positive Technologies: AppSec Table Top

2024: AppSec Table Top Presentation

Positive Technologies has prepared a public framework for secure development - AppSec Table Top. The created methodology is a set of measures, principles and approaches to ensure the security of web applications at all stages of their life cycle. The framework will help specialists from various areas (from system analysts to DevSecOps engineers) effectively build AppSec processes taking into account business interests, regulatory requirements and team needs. The company announced this on September 25, 2024.

Current cyber threats are forcing companies to strengthen the protection of web applications. In Russia, according to research by Positive Technologies, in 2023 and the first half of 2024, 21% of attacks occurred. In addition, over the past five years, exploitation of vulnerabilities, including in web applications, has consistently been among the three most popular methods of attacks on organizations. As a result, there has been a positive trend in the domestic market: companies engaged in the development of web resources independently or with the involvement of contractors are actively introducing DevSecOps processes and tools. This practice allows, even at the stages of writing, testing and operating software, to identify and eliminate vulnerabilities that attackers can potentially exploit in the future.

The domestic secure development industry is relatively young, and companies building AppSec processes face many questions. At the same time, it is not always possible to be guided by foreign approaches, since many of them are not applicable in Russian realities. In response to the urgent need of business and software developers, Positive Technologies experts have created their own methodology. The document accumulates and regulates 20 years of vendor experience, advanced expertise of the company in the field of application security, as well as the best practices of foreign and domestic standards and frameworks (PCI SSF, Microsoft SDL, BSIMM, SAMM, GOST 56939, GOST 15408 and others). In particular, practitioners participated in the creation of the methodology: IT directors, developers, architects of information security.

Key features of the framework:

• Binding to domestic regulators.
  

Positive Technologies experts continuously analyze the requirements and regulations governing the development of protected software and reflect them in the methodology so that users can always monitor compliance.

• Automation.
  

Reducing manual labor not only accelerates development and saves resources, but also minimizes the risks associated with the human factor and the lack of standardization.

• Relevance.
  

Gaidline will be updated annually, which will help organizations and technical enthusiasts to always be in the same field with regulators, track trends in secure development and build hypotheses.

The methodology can be used in three directions: as a reference book; as a basis for building secure development processes and as a model for assessing the maturity of these processes in an organization. The framework will be useful for companies of various sizes - from small studios with a development team of one hundred people to corporations with a staff of several thousand IT specialists.

The practices described in the methodology and ways to implement them help the business build elements and processes of secure development so that there are fewer vulnerabilities, their detection took place earlier, and the fix was cheaper and easier. The company can complete any of the stages either completely on its own or with our help in order to get a good result in a guaranteed and as painless way as possible for the team. For our part, we are ready to accompany and insure companies during the implementation and restructuring of development processes, - commented Evgeny Ilyakhin, process architect secure development Positive Technologies.