Scaling security across multiple applications is a challenge that many organizations face. Whether it's deploying a new application security tool or optimizing existing processes, the task of rolling out security measures across a large number of applications can be complex and time-consuming.
In this blog post, we will explore the best practices and strategies for scaling security across many applications. We will delve into the principles of operations and software engineering and discuss how they can be applied to application security. Additionally, we will highlight the use of configuration files, environment variables, and overlays to achieve scalability with modularization. Let's dive in!
Principles of Scaling Application Security
We believe in three fundamental principles for scaling application security:
1. Dry Development: The "Don't Repeat Yourself" (DRY) principle encourages developers to avoid duplicating configuration settings. By breaking down long configuration files into reusable modules, developers can improve readability, reduce maintenance costs, and achieve consistent results across applications.
2. Source Control: Just like source code, configuration files should be managed in version control systems such as Git. This practice ensures everyone has access to the same configuration version and simplifies troubleshooting in case of issues.
3. Local Scanning: StackHawk's Scanner can run locally, close to the running code, enabling engineers to discover and fix vulnerabilities before they make another pull request. This iterative process of making changes, testing, and repeating allows for rapid progress in resolving security issues.
Now let’s see how you can apply these principles to achieve a scalable and efficient AppSec program.
Utilizing Configuration Files and Environment Variables
Environment variables store application-specific values like connection settings and security credentials, allowing for dynamic injection of the correct values at runtime. This flexibility simplifies configuration management across different environments and enables developers to run scans without extensive configuration knowledge.
Setting environment variables with default values also helps ensure developers can easily run scans without explicitly configuring each variable.
Implementing Overlays for Modularization
Overlays are a powerful feature in StackHawk's HawkScan tool that enables the extension and modification of base configuration files. By breaking down configurations into separate YAML files, developers can modularize their settings, making them shareable across different applications. Overlays can include common configurations for authentication, custom scan discovery, test scripts, and more.
Overlays can be specified at scan time through command-line parameters or in CI/CD pipelines. This modular approach to configuration allows for scalability across multiple applications while maintaining consistency and reducing redundancy.
Scaling Across Teams
To roll out this approach to multiple teams, StackHawk offers two options: Git submodules and remote URLs (coming soon!). Git submodules enable centralized management of common configurations and can be shared across applications and teams. Alternatively, we are adding support to reference overlay files via remote URLs, allowing a centralized location to host overlays.
Scaling security across all of your applications is a critical undertaking for organizations aiming to maintain robust application security practices. By applying the principles of operations and software engineering, leveraging configuration files, environment variables, and overlays, and involving the development team, organizations can achieve an efficient large-scale AppSec program.
Thought leadership provided by: Dan Hopkins, VP of Engineering, and Brian Erickson, Senior Product Manager at StackHawk