Establishing Application Security Visibility

Here at Doma the Purpose of the Product Security Team is to ensure customers trust our products. We do this by enabling our Product Teams, who build our applications, to identify and resolve security challenges quickly. As any security professional will tell you though, there are many facets of the job and determining where to spend your limited time is a challenge in-and-of itself.

The Product Security (ProdSec) team is currently focused on improving visibility; something we see as foundational for determining how to utilize our resources. Greater visibility provides benefits for us and Product Teams:

  • ProdSec can identify high-impact areas
  • ProdSec can provide just-in-time guidance to teams
  • Teams can understand their current security posture

We are establishing this visibility by creating a dashboard we call the Application Security Portal (ASP). All teams have access to this portal which ingests data from many sources and provides a single easy-to-navigate picture of their Application(s) security posture. In version 1.0 teams can see any outstanding issues identified by software assurance tooling, their Application(s) risk and how it was calculated along with proactive tasks they can complete based on the information in their risk matrix.

An example of the Risk Matrix used to classify an Application

Upon login a snapshot view shows teams a completion rate indicating how many of those proactive tasks they’ve finished. In the screenshot below, our example “Hello Docker” application has a 50% completion rate because it has been on-boarded but has not gone through a Rapid Risk Assessment. The Rapid Risk Assessment task links to a ticket in our tracking system (that was automatically created!) with guidance and resources to complete the assessment. Completing the ticket would automatically update the dashboard so Teams get immediate feedback as they improve the security of their apps. The risk matrix for this application indicated a full threat model is not necessary.

The dashboard for an example application

Finally, the portal has a section showing teams any open issues discovered by our tooling, along with a link to the original finding. Our vulnerability remediation standard is displayed so teams can prioritize issues appropriately and ensure they’re not building up security tech debt.

The aim of the ASP is to become a one-stop-shop for teams to understand their security posture and provide them with relevant guidance. As we continue to iterate on the portal we plan to incorporate information and views that other stakeholders, e.g., leadership, compliance, etc., find useful. We have also incorporated a feedback mechanism so teams can help us improve. Keep an eye out for future posts about the evolution of our AppSec Portal.

Let us know what you’re doing to improve security visibility!

Be sure to follow us on Medium.