“Shift-left” is a term we’ve all heard used ad infinitum over the past few years. However, this approach has – to date – rarely shifted far enough left to encompass secure design, which is something that has both baffled and frustrated me in equal measure.
So I was heartened to see that the risk of Insecure Design has been included for the first time in the 2021 OWASP Top 10 – the organisation’s first update to their list in four years.
OWASP’s Top 10 has long been recognised as an invaluable resource for security and dev/engineering teams when it comes to securing products and services. It’s a vital indicator of trends and patterns in Application Security, and many organisations use it as a starting point for embedding robust, up-to-date security practices.
In fact, not only has Insecure Design been included this year, but it has debuted at number 4 on the list, which goes to show just how vital an activity it is when it comes to securing your organisational resources.
As a security architect, I have long advocated for secure design principles and threat modelling to be a standard part of every secure SDLC. You cannot truly say you have shifted left unless you have started considering your product’s security before you’ve actually started building the product.
The 2021 OWASP report says that “if we genuinely want to “move left” as an industry, we need more threat modeling, secure design patterns and principles, and reference architectures.” Music to my ears!
One of the biggest challenges with this approach lies with the eternal mismatch in numbers between security and engineering, which can lead to a lack of availability (and perceived lack of engagement) from the security team. Now, in my experience, they’re not actually disengaged – they just have too many engineers to support, and not enough time in their day!
Another challenge is the sheer manual effort required to do threat modelling and secure design – especially to do it consistently and at scale. Traditionally, this required gathering a bunch of busy people in a room together, over a number of different sessions, and spending time mapping out and diagramming As-Is and To-Be architectures on a whiteboard. Which – and I say this as a security architect – is rarely anyone’s favourite way to spend an afternoon. Let’s just say there’s nearly always something else that people find they could be doing instead.
I think it’s fair to say that many organisations don’t even bother trying, and the ones that try struggle to complete these tasks, tasks that should be considered essential – ARE essential – but get relegated to non-essential simply because… well, because they’re painful.
As a result, secure design and threat modelling are overlooked in favour of detective controls, which are like a ticking time-bomb. Such tools have their place, of course they do, but if they’re finding lots of things that need fixing, that can’t be good. All of those things are in production by now, after all. What if the next time one gets found, it gets found by an external bad actor, rather than by your own detective tool?
The inclusion of Insecure Design as a risk in the latest OWASP Top 10 is a clear signal to our industry that the importance of secure design practices is finally being recognised, and I see this as a really positive development. Of course, it’s not one that surprises me, as the benefits of secure design practices and threat modelling are immense. When done effectively, they can save an organisation vast amounts of time and money, and they don’t even have to be difficult to implement into your SDLC!
OWASP believe it’s worth doing – they’ve said as much – and deep down, you know it’s worth doing too. Don’t worry about the traditional pain – at Akeero, we believe our automated threat modelling tool can make most of that pain go away.
We’re here to help you take those initial steps in your Secure Design journey, or help you get back on track if you’ve started the journey previously, but somehow lost your way.
I’d love to spend some time explaining what we do at Akeero and how it can help your team, so please reach out to me if that’s something you might be interested in. Or reach out even just to share your thoughts on this blog, whether you agree or disagree! I love nothing more than a healthy debate!