Hamburger Icon

Scaling Security Across
Applications: Best Practices
and Strategies

brian erickson

Brian Erickson|May 17, 2023

Discover fundamental principles of operations and development to streamline your configuration process. And explore the power of environment variables and Overlays to easily manage your configurations and ensure consistent results across all apps.

Scaling security across multiple applications is a challenge that many organizations face. Whether it's deploying a new application security tool or optimizing existing processes, the task of rolling out security measures across a large number of applications can be complex and time-consuming.

In this blog post, we will explore the best practices and strategies for scaling security across many applications. We will delve into the principles of operations and software engineering and discuss how they can be applied to application security. Additionally, we will highlight the use of configuration files, environment variables, and overlays to achieve scalability with modularization. Let's dive in!

Principles of Scaling Application Security

We believe in three fundamental principles for scaling application security:

1. Dry Development: The "Don't Repeat Yourself" (DRY) principle encourages developers to avoid duplicating configuration settings. By breaking down long configuration files into reusable modules, developers can improve readability, reduce maintenance costs, and achieve consistent results across applications.

2. Source Control: Just like source code, configuration files should be managed in version control systems such as Git. This practice ensures everyone has access to the same configuration version and simplifies troubleshooting in case of issues.

3. Local Scanning: StackHawk's Scanner can run locally, close to the running code, enabling engineers to discover and fix vulnerabilities before they make another pull request. This iterative process of making changes, testing, and repeating allows for rapid progress in resolving security issues.

Now let’s see how you can apply these principles to achieve a scalable and efficient AppSec program.

Utilizing Configuration Files and Environment Variables

Environment variables store application-specific values like connection settings and security credentials, allowing for dynamic injection of the correct values at runtime. This flexibility simplifies configuration management across different environments and enables developers to run scans without extensive configuration knowledge.

Setting environment variables with default values also helps ensure developers can easily run scans without explicitly configuring each variable.

Check out this step-by-step guide on utilizing YAML configuration files and environment variables with HawkScan.

Implementing Overlays for Modularization

Overlays are a powerful feature in StackHawk's HawkScan tool that enables the extension and modification of base configuration files. By breaking down configurations into separate YAML files, developers can modularize their settings, making them shareable across different applications. Overlays can include common configurations for authentication, custom scan discovery, test scripts, and more.

Overlays can be specified at scan time through command-line parameters or in CI/CD pipelines. This modular approach to configuration allows for scalability across multiple applications while maintaining consistency and reducing redundancy.

Check out this article to learn more about what overlays are, how to use them in your HawkScan configuration, and best practices to follow.

Scaling Across Teams

To roll out this approach to multiple teams, StackHawk offers two options: Git submodules and remote URLs (coming soon!). Git submodules enable centralized management of common configurations and can be shared across applications and teams. Alternatively, we are adding support to reference overlay files via remote URLs, allowing a centralized location to host overlays.

Scaling security across all of your applications is a critical undertaking for organizations aiming to maintain robust application security practices. By applying the principles of operations and software engineering, leveraging configuration files, environment variables, and overlays, and involving the development team, organizations can achieve an efficient large-scale AppSec program.

Thought leadership provided by: Dan Hopkins, VP of Engineering, and Brian Erickson, Senior Product Manager at StackHawk

Read more:

Brian Erickson  |  May 17, 2023

Read More

Add AppSec to Your CircleCI Pipeline With the StackHawk Orb

Add AppSec to Your CircleCI Pipeline With the StackHawk Orb

Application Security is Broken. Here is How We Intend to Fix It.

Application Security is Broken. Here is How We Intend to Fix It.

Using StackHawk in GitLab Know Before You Go (Live)

Using StackHawk in GitLab Know Before You Go (Live)