The significance of this vulnerability

Exploiting this widespread vulnerability can do more than just initial access gleaned by exploiting the Jenkins CVE, it can also put the software consumers of this company affected, at immediate risk. 

Software developers use Build servers’ software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a build server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations.

The attraction of software supply chain attacks for attackers lies in their high reward potential and the extensive reach these attacks can have. By infiltrating a single, often well-trusted component of the software supply chain, attackers can gain access to a broad network of systems and data, making these attacks increasingly favored due to their far-reaching and often catastrophic ripple effects.
 

The growing trend of attacks on Continuous Integration/Continuous Deployment (CI/CD) software supply chains

This attack comes after a highly publicized attack on another CI/CD server TeamCity software https://nvd.nist.gov/vuln/detail/cve-2023-42793 this attack was attributed by CISA to Russian Foreign Intelligence Service (SVR) https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a and also to multiple North Korean threat actors   https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/. We believe that this public vulnerability will also be used by Nation-state actors to strengthen their control on sensitive software supply chain. 

Beyond traditional security measures

In the wake of sophisticated cyber-attacks like those attack, the limitations of traditional security tools such as antivirus software and intrusion detection systems become apparent. These tools, foundational for baseline security, are tailored to address known threats and vulnerabilities. However, their capacity to handle advanced cyber-attacks targeting software distribution mechanisms is limited. Such attacks often bypass perimeter defenses and exploit subtleties in software delivery systems, highlighting gaps in conventional security measures.

The shortcomings of traditional approaches are further exemplified by tools like the Software Bill of Materials (SBOM). Although an SBOM is invaluable for transparency and tracking component vulnerabilities, it falls short in safeguarding against manipulations within the distribution process itself. This gap highlights the need for a more comprehensive approach to cybersecurity.

Responding to these evolving threats necessitates a multifaceted security strategy. This involves complementing traditional measures with advanced and dynamic approaches. Implementing comprehensive vulnerability management, real-time threat detection systems, and continuous monitoring within the software development and deployment pipelines can provide a more robust defense.

A call to action for AppSec managers

Considering these growing threats, the role of Application Security (AppSec) Managers becomes more crucial than ever. The recent incidents involving Jenkins and TeamCity serve as stark reminders of the vulnerabilities inherent in the software supply chain. To combat this, AppSec Managers must ensure that their Software Supply Chain Security Solutions are not just robust but also backed by leading-edge research teams. It’s not enough to have strong defenses; staying ahead of the curve in terms of threat intelligence and technological advancements is key to safeguarding against such sophisticated attacks.

In conclusion, the cybersecurity community must view the incidents with Jenkins and TeamCity as a clarion call. The increasing frequency and sophistication of attacks on CI/CD platforms demand a proactive and comprehensive approach to security. It’s a complex challenge, but with the right strategies and tools, organizations can protect themselves and their customers from these looming threats. As the digital world continues to evolve, so must our defenses against the ever-changing landscape of cyber threats.

The Forrester’ 2023 State of Application Security Report states that integrating AppSec across the entire SDLC will be necessary in order to protect your organization today and in the future. Security is no longer an issue to be considered in silos or at the end of the SDLC. What’s required is an AppSec Maturity Model that can help organizations develop a strong AppSec program that can secure their applications from the first line of code to deploy and runtime in the cloud.

Let’s talk about planning for this model and choosing the right approach to deal with a changing and ever more threatening security landscape.

Clarity Amongst Acronyms

Which framework should you choose to create and improve your AppSec program? Not only are the threats changing all the time, but technical jargon and acronyms can make it even more difficult to understand what certain security models do. 

Before we go any further, here’s a quick look at two key models you should know. 

OWASP SAMM (Software Assurance Maturity Model)

OWASP is the Open Worldwide Application Security Project. This is a nonprofit foundation that works to improve the security of software through:

• Community-led open source software projects.
• Over 250 local chapters around the world.
• Tens of thousands of members.
• A leading educational and training conference.

OWASP SAMM aims to provide an effective and measurable way to analyze a development lifecycle and make it more secure. The model can be applied across the complete SDLC and is also designed to grow with the enterprise. It can be tailored to specific organizations and the risks they face. This is achieved by:

• Evaluating current software security practices.
• Building a balanced software security assurance program in well-defined iterations.
• Demonstrating tangible improvements.
• Offering the ability to define and measure security-related activities throughout an organization.

BSIMM (Building Security In Maturity Model)

This was one of the first ever AppSec maturity models, created15 years ago. The assessment helps you to compare your software security program with over 100 organizations across different industry verticals. The result is an objective, data-driven analysis that gives AppSec managers direction on decisions about resources and priorities. 

A Fresh Approach to AppSec Maturity Models

Are these existing AppSec maturity models still relevant in 2023? 

A common issue is they often provide too much information, making it difficult to know where to start. Another issue is stakeholder management – many models focus on the needs of developers or CISOs, but rarely AppSec managers and developers. The result is a lack of buy-in across your organization.

These models put a heavy emphasis on agility and the ability to adapt. Whilst there is talk about living in a post-agile world, the dynamic nature of AppSec threats means there is still a great need to adapt rapidly and implement fast feedback cycles. However, a purer version of agile thinking is unsuitable for AppSec. The environment changes too quickly, meaning time spent carefully crafting multi-phase plans can easily feel wasted. 

A Better Way – Application Program Methodology Assessment Framework

At Checkmarx, we developed our own methodology to take AppSec frameworks and methodologies to the next level. The result is the AppSec Program Methodology and Assessment (APMA) Framework.

Experience tells us that the most efficient way to approach your AppSec maturity model is to decide on a target state – and then plan how to get there step-by-step. Decide what actions you need to take to go from your current situation to the desired one. Then work in short iterations with a few actions (sprints) to close the gap. The result is a clearer sense of program progress as the desired state slowly comes within reach.

Security offerings should be straightforward. APMA helps organizations better understand the capabilities they need to improve their AppSec posture and protect their business.

There are five dimensions to our framework that can provide efficiency and effectiveness to any AppSec program and bring all stakeholders together:

• Strategy and Governance – focusing on high level goals and objectives, policies and KPIs, usually the CISO’s responsibility. 
• Security Testing (Tactical) – looking at the processes of an AppSec program, often the responsibility of the head of AppSec. 
• Security Testing (Operational) – examining the tools required and how to use them, usually the responsibility of the head of application development in conjunction with AppSec management. 
• Security Testing (Architecture and Scale) – the infrastructure required to perform security testing, mainly the responsibility of the IT/infrastructure manager. 
• Planning – breaking everything down into work packages, a timeline and resources, mainly the responsibility of project manager, program manager and delivery manager.

Whatever model you end up choosing, you should ensure that it is best tailored to your organizational needs, so that employees, suppliers, and customers are secure for the foreseeable future.

APMA can offer you the support you need on your journey to achieve your AppSec goals and, importantly, sustain that security. If you’re interested in how APMA can help mature your enterprise AppSec program, then learn more here.

Get started with APMA by taking the free digital assessment. In just a few minutes, you can obtain actionable recommendations to get started on their AppSec journey. Larger enterprises can contact us for the full assessment.  

The Checkmarx AppSec Program Methodology and Assessment (APMA) framework helps enterprises adopt a risk-based scanning and remediation strategy. It integrates an understanding of the risk surface, through the creation of a business application inventory with suitable risk ratings, coupled with effective preset management and application onboarding.  

After conducting more than 100 assessments of enterprises around the world, we have come up with five tips to build an impactful AppSec program.  

1. Risk Rank Your Business Application Inventory 

One of the pillars of effective application security is understanding your risk profile. Not all applications are created equal. A risk-rated inventory is targeted and efficient way to allocate security resources to an application proportionate to its criticality. 

Organizations must keep a detailed inventory that takes into consideration factors like whether it’s internal- or external-facing, data sensitivity, and application criticality. This becomes the backbone for informed decision-making, allowing development teams to prioritize their effort on the most critical applications. Organizations that do not have a business application inventory tend to have with poor tool deployment, affecting the overall developer experience. 

How do organizations stack up? 

• 72% of assessed organizations don’t have a risk rated inventory  
• 65% of those assessed organizations that didn’t have a risk rated inventory either did not have their scan results reviewed or did not have developers execute a remediation process.  
• 75% of assessed organizations that have a low business application inventory maturity also have only rolled out AppSec testing tools for less than 50% of business applications. 

2. Optimize Presets for Targeted Scanning 

Organizations have different goals — compliance, focusing on high-risk vulnerabilities or taking a comprehensive look at all potential risks. AppSec solutions should be tailored to the goals to improve result fidelity and developer experience. 

50% of assessed customers have not taken the first step to select the preset that aligns with their security strategy. 

Applying a risk-based security strategy involves preset optimization. While default presets are comprehensive, a “boil the ocean” approach can overwhelm development teams and lead to too much noise. The result may lead to developers fixing non-exploitable vulnerabilities, rather than the critical vulnerabilities that pose a significant security risk. The volume of security testing results, coupled with existing workloads, may lead to frustration and resistance.  

Organizations should adapt their scanning strategies according to their risk tolerance and business goals. Checkmarx advocates a three-step preset reset plan to mitigate result fatigue and enhance developer adoption: 

• Step 1 – Narrow the preset: Introduce narrow aperture presets. 
• Step 2 – Identify and tune outlier queries: Iteratively search for outlier query results, customizing them for best results. 
• Step 3 – Focus on critical applications: Channel efforts towards critical applications, deepening SAST scanning, and query customization. 

A measured approach to preset customization significantly affects the long-term satisfaction and experience of development teams. 

3. Onboard Applications in a Structured Manner to Create a Baseline 

Developing a mature application onboarding process is critical to consistently review and remediate results. The onboarding process, encompassing initial scanning, result review, and SDLC integration, sets the stage for application security testing. It ensures that development teams are familiar with security testing processes. 

This process includes tuning checks, rules, and queries, optimizing them for the specific application’s architecture. A security architecture assessment adds another layer of refinement. Regular reviews ensure continuous alignment with evolving application architectures. 

Why is this important? Here’s some real-world data: 

• Only 21% of assessed customers have a structured process to onboard applications. 
• 75% of assessed customers with mature triage and optimization process review results on a consistent basis. 20% of them even break builds when processes are violated. 
• Customers who have a mature triage and optimization process have a 10x better policy enforcement rate. 

4.  Take Advantage of Automation and Integration for Continuous Security Testing 

Automation is key. Integrating automated security testing tools into the development workflow streamlines processes, reduces manual efforts, and ensures consistent results. Organizations with more mature AppSec programs automate security testing to enable more successful review and remediation processes. 

Automated tools offer real-time feedback, enabling issues to be resolved early in the development process. This prevents vulnerabilities from escalating. Developers receive immediate feedback when they commit changes, addressing security issues when they are most attuned to the code, fostering a more agile and secure development process. 

Organizations that automate the testing process reduce friction within their SDLC process, therefore improving their developer experience. 

Lack of automation has a direct impact on result review and remediation. 

• 64% of assessed customers with a high level of scan automation were more likely to have development teams that reviewed results and remediated vulnerabilities. 
• 77% of assessed customers that didn’t have scan automation also had had development teams that didn’t review results or remediate vulnerabilities. 

5. Educate Stakeholders about AppSec  

The success of any AppSec program is tied to the education given to stakeholders. Developer training programs that emphasize secure coding practices, coupled with comprehensive documentation  and code samples, improve the maturity of AppSec practices. Yet, 39% of assessed customers have no education and guidance strategy and only 32% of assessed customers have implemented higher maturity education and guidance strategy. 

Education should be tailored to four key roles: 

• AppSec management 
• AppSec experts/champions 
• Developers 
• Operations 

Organizations that have a comprehensive education and guidance component see a 25x-30x higher rate of results review and remediation process execution by development teams. 

The APMA Framework: A Roadmap to Enhance Developer Experience 

When the speed of development is non-negotiable, integrating robust application security measures is a must. The APMA framework, distilled from real-world assessments, provides a roadmap for organizations to not only secure their applications but also enhance the developer experience. As organizations embark on this journey, they not only fortify their defenses but also foster a culture of security that resonates throughout DevOps and the SDLC. 

Organizations can get started with APMA by taking the free digital assessment. In just a few minutes, they can obtain actionable recommendations to get started on their AppSec journey. Larger  enterprises can contact us for the full assessment. 

Unfortunately, that’s what happens with organizations when they are faced with the barrage of information on what tools to use, what vulnerabilities need the most attention, and find themselves in a web of unstructured processes that keep them from moving forward. 

What good are the best AppSec tools, if you don’t have the right strategy, processes, and implementation in place to use the tools efficiently and effectively?  

This is why understanding your AppSec program’s maturity matters.  

You don’t know what you don’t know. If tools are not being used consistently, effectively, or at all, AppSec programs can fall into a dangerous pattern of working on the least critical aspects, while unknowingly creating larger blind spots and issues in the future.  

The more maturity an AppSec program has, the more continuously those programs build in security throughout their software development lifecycle (SDLC). The problem is, it’s difficult to keep all the moving parts working in tandem. Each tool used must be used consistently, and effectively, to remediate confirmed vulnerabilities, protect critical assets, and keep stakeholders in the loop of timelines and risk. A more mature AppSec program signifies a proactive, rather than reactive, stance to security. A mature organization doesn’t merely respond to threats; it anticipates and mitigates them, significantly reducing the window of opportunity for malicious users. This forward-thinking approach saves valuable time and resources, while safeguarding business continuity.   

The limitations of alternative AppSec maturity models 

Maturity models in AppSec and DevSecOps are not new. There are existing frameworks, however, they are not without their downsides. 

1. Information overload: Some assessments can be overwhelming for someone who just wants to get a high-level overview of the current situation and get an indication of where to get started. It can be difficult for AppSec managers to have to go into a great level of detail before they have the chance to make improvements to their current SDLC. Many of these assessments can take several days or even a week.  

2. Long and tedious timelines: Some existing models have too many results for the user, which might lead them to lose sight of what their immediate priority should be. Furthermore, these models tend to lead users far into the future typically building a detailed plan for 4 or 5 phases ahead of where they currently are. While looking into the future is great, these methodologies don’t work in modern development organizations. Because of constantly changing environment organizations have adapted to invest in only the right amount of planning: make detailed plans in the short term and longer-term plans only at a high level – this is aligned with enterprise Agile frameworks such as the Scaled Agile Framework (SAFe). 

3. Stakeholder concerns: SDLCs and AppSec programs have many different stakeholders. Each stakeholder has different responsibilities, and perspectives, on the overarching process and outcome. Developers are often focused on meeting their objectives, which means security can fall off their priority list since their focus is on getting the required functionality in place. However, to other stakeholders such as CISOs or AppSec managers, the software development organization should also be aware and manage application risks. Depending on the type of software, these risks can be substantial. Existing frameworks typically focus on one of these perspectives. For example, some other frameworks are focused on the management perspective, while others are focused on the developer perspective.  

So, how do we address these challenges, while still trying to give users a way to understand their AppSec maturity? Checkmarx developed the AppSec Program Methodology and Assessment (APMA) methodology – it takes a simpler, more pragmatic, and more agile, approach. 

How is the AppSec Program Methodology and Assessment (APMA) different? 

We introduced the AppSec Program Methodology and Assessment (APMA) methodology in a previous blog post. APMA is different in that it has a low barrier to entry, does not require a long planning horizon, and takes all stakeholders’ perspectives into consideration. It still has the benefit of a maturity model, in that it gives you a baseline of a current state as a starting point for improvements that help you see the progress you’re making, and how you quickly bite off chunks of the backlog to the reach desired state. 

How does it work and how does it differ from other application security methodologies? 

The steps of the full methodology are:   

1. Identifying gaps by speaking with your Checkmarx expert to get an overview of the current situation.  

2. Agreeing on a target or desired state, considering your goals and AppSec best practices. 

3. Working in short iterations with a few actions (sprints) to gradually close the gap and reach the desired state.  

With the APMA Premium Assessment, you will work with one of our AppSec advisors. The interview process is short – taking on average 1-2 hours. Based on the interview, our AppSec advisors will create an assessment report and come to an agreed plan. This report includes the recommended actions for the next sprint and a preview of the following sprint. It also includes an overview of the backlog of actions to reach the desired state. 

Another AMPA offering is the Comprehensive Assessment. This is an assessment where stakeholders from different functions are interviewed. The purpose of this is to break down organizational siloes and bring in multiple perspectives. This allows organizations to notice the differences in perceptions of the AppSec program, and gaps in communication, which can then be addressed in the APMA report following the assessment. 

Introducing APMA Digital – Try it for Free! 

In addition to the premium and comprehensive assessment, we are excited to introduce APMA Digital, a free and fully automated way to receive an APMA assessment that will give you actionable recommendations within minutes. 

And, best of all, this is open to everyone – whether you are a Checkmarx user or not – at no cost and the results are available within minutes. Get started now. 

In just 15 minutes, you can start your path to AppSec maturity. 

What’s involved? 

• A short self-service questionnaire with just a few quick questions. 

• Get an automatically generated report analyzing your AppSec posture and recommended areas of improvement for your next sprint. 
• Take the results and start improving your AppSec maturity. 

Field-proven with the world’s leading enterprises 

We recently completed our 100th APMA premium assessment. The largest enterprises have seen significant value from these assessments.  For example, a market-leading digital travel platform provider said: “The thorough examination of various aspects of our processes, along with identifying potential bottlenecks and inefficiencies, has given us a clear roadmap. With this newfound understanding, we can prioritize our efforts and allocate resources more effectively, enhancing our overall performance.” Or Christophe Piquet, AppSec Manager at Cdiscount  said “The APMA methodology elevated the discussion to the overall spectrum of an AppSec program and zoomed out from the day-to-day discussion that usually is driven by a tactical or operational issues to fix.”  

15 minutes to start your path to AppSec maturity 

Are you ready to find and focus on the most critical issues, maximize your return on investment into AppSec, and increase developer buy-in? Investing in AppSec maturity isn’t just about reducing risk and preventing business-critical incidents. It’s about fostering a culture of security within the organization, ensuring compliance, preserving brand reputation, and instilling confidence with internal and external stakeholders around your commitment to AppSec. 

All it takes is 15 minutes, and you’ll have an idea of where you can take immediate action to help your AppSec program become more efficient and impactful, and your organization more secure. Take the first step now and perform a self-assessment and get an APMA report within minutes here! 

Rather than just defending the traditional network perimeter in order to keep business assets safe, all AppSec programs should strive for a collaborative security model with effective strategies, tactics, and operational maturity models.

Continue reading to learn how business leaders and security teams can collaborate to create a proper AppSec program in today’s complex modern application development environment.

The Building Blocks of a Proper AppSec Program

To create a viable long-term security model, you must take a solution-oriented approach and focus on security relationships and responsibilities. This way, managers will not only realize the importance of having a secure maturity model, but will also be actively involved in its adoption, assessment, and implementation.

Strategic Security Management

Any organization’s leadership must have a solid strategy for developing a proper AppSec program, and this begins with recognizing the security issues that it faces. The answer to security business challenges is competent strategic management, which can be achieved by establishing security rules, addressing personnel issues, and assessing threats and hazards. Project managers and executives in strategic security management are responsible for measuring and evaluating risk, developing security budgets, and determining overall operational direction.

Tactical Security Management

Tactical security management enables organizations to mitigate security threats. Here, security executives and leaders create and conduct risk mitigation security initiatives. Tactical security management activities include planning, creating, defining standards, and performing security duties. Roles and responsibilities related to security decisions and day-to-day security operations are defined and shared across the management team.

Operational Security Management

Operational security management attempts to answer the question of which security processes and techniques you should use. This procedure makes use of analyzing tools, auditing tools, physical controls, scanners, and packet sniffers. To aid in the implementation, enforcement, and monitoring of information security standards, operational management should be included in modern application development.

Five Key Vectors for Assessing Maturity in AppSec Programs

With security becoming a top priority in software development, evaluating your AppSec program’s maturity is an important best practice for any security company. The goal of an AppSec maturity assessment is to determine the appropriate level of security for your company and to implement the necessary features to achieve it. Below, we discuss the essential metrics for assessing maturity in modern AppSec programs.

Strategy and Governance

The dimension Strategy and Governance focuses on high-level Goals & Objectives, Policies and KPIs. The CISO is typically in charge of determining whether the AppSec program meets the strategic and governance objectives. By identifying metrics, compliance, and the type of instructional guidance required for the model being utilized, strategy and governance procedures aid in the assessment of maturity models. Goals and Objectives, Strategic KPIs, AppSec Policy, and Education and Guidance are some of the other exercises addressed in this vector.

Secure Design

Secure design is an approach to development that uses threat modeling to design products and capabilities that are fundamentally secure. Crucially, it involves the implementation of security domains, perimeters, and control procedures at the start of the SDLC, which enhances security testing and AppSec development. The objective of secure design is to build, integrate, and use software that has been generated with security as a key component rather than an afterthought. Examples of secure design practices include choosing the type of firewall to use, enforcing the policy of least privilege, and designing intrusion detection systems and security filters. To guarantee secure design, it is typically the responsibility of the project manager, program manager, and delivery manager.

Two premier leaders in the AppSec world, NIST (The National Institute of Standards & Technology) and OWASP (The Open Web Application Security Project), are championing the importance of prioritizing secure design in modern AppSec programs.

Security Testing – Tactical

Tactical application assessment is an important vector for automating application security testing. The tactical aspect of security testing aims to find security vulnerabilities in your apps from source code to runtime. It includes tactical considerations such as procedures and guidelines, as well as aspects such as the vulnerability life cycle, the result validation process, the application onboarding process for security testing, and processes to create an application inventory and perform risk rating of applications.

Security Testing – Operational

The dimension Security Testing – Operational focuses on technology, i.e., the tools and how to use them in terms of procedures and guidelines. This vector is critical for ensuring security testing encompasses how tools are integrated into the DevOps or SDLC process, how bugs/defects are monitored, and how to manage the various system vulnerabilities that may arise as a result of the AppSec program’s integration of diverse tools. The head of application development, in collaboration with AppSec management, is primarily responsible for this.

Security Testing – Architecture and Scale

Security Testing –Architecture and Scale is concerned with the infrastructure needed to conduct security testing. It guarantees that the AppSec program’s tools are structured and sized to match the scope of the firm. When performing AppSec security testing, it is mostly the duty of the IT/infrastructure management to ensure that architecture and scale metrics are met. This exercise includes architecture and scale-focused assessments such as deployment model architecture, capacity planning and sizing, as well as System Monitoring of the security testing tools.

Where Should You Start with AppSec?

Even with the most powerful technology, meticulous planning and execution are essential if you want enterprise-grade security results. Your developers will spend less time fixing and more time coding with our world-class Checkmarx APMA^TM Framework. To learn more about Checkmarx’s approach you can read more about it here.

Faith Kilonzi is a full-stack software engineer, technical writer, and DevOps enthusiast with a passion for problem-solving through implementation of high-quality software products.

She holds a bachelor’s degree in Computer Science from Ashesi University. She has experience working in academia, fin-tech, healthcare, research, technology, and consultancy industries in Kenya, Ghana, and in the USA. Driven by intellectual curiosity, she combines her passion for teaching, technology, and research to create technical digital content.