Building an application security battle plan: Home Alone edition

The holiday season is the perfect time to rewatch some favorite festive movies! While some prefer their holiday movies to be as sappy as possible (Hallmark, we’re looking at you), others relish the annual opportunity to watch an 8-year-old boy exact his revenge on two bumbling bad guys in the 1990 classic Home Alone.

It’s funny to think about a kid singlehandedly defending his home from two robbers using micro machines, an iron, and several other slapstick traps. But, it’s a far more probable situation for businesses to find themselves defending their property (a.k.a. their applications) from attackers. Putting up the proper application security measures might not be as humorous as burning a bad guy’s head with a blowtorch, but it can look similar to Kevin McAllister’s “battle plan” in many ways.

So in the spirit of the holiday season, let’s lay out the best application security “battle plan” for keeping out attackers.

The “floors” of your application

Kevin’s clever plan included traps on every floor of his house — the basement, main floor, and second floor. In the movie, he had to devise clever plans for every entrance and room. After all, he couldn’t predict how Harry and Marv (the robbers) would try and enter his house and what they’d do once they got inside it.

In the same way, a good application security plan covers every “floor” of your application — the source code, software supply chain, and infrastructure.

Not only did Kevin include clever (and flat-out devious) traps on every floor of the house, but he also planned for them to be interconnected. Marv clambered up a staircase covered in tar, forcing him to remove his shoes. It put him in the perfect position to step on a nail (shudder!). Harry walked straight into a piece of plastic wrap covered in glue, then tripped a fan that blew a bunch of feathers at him. They stuck right to the glue! Kevin’s pranks played off of each other flawlessly.

Like Kevin’s traps, the elements of your application security plan need to play off each other. Everything that happens on one “floor” of your application needs to connect to the security efforts on the other “floors.” And nowadays, this means weaving together security efforts in source code — both proprietary and open source — as well as cloud infrastructure and containers. Let’s cover what each of these “floors” looks like.

Floor 1: Source code

Good ol’ in-house source code is the most basic level of your application. And if it’s not written with security in mind, it could become a wide-open door for attackers.

But your security team can’t be everywhere all at once. So, you need to automate some parts of your battle plan. Just as Kevin used tripwires to activate tricks automatically, your team can use automated static application security testing (SAST) to find and fix insecure code. Securing your source code takes two steps: conducting routine static application security testing (SAST) and educating your developers on best practices, empowering them to code securely from the start.

Floor 2: Software supply chain

The second “floor” of your application is the software supply chain: the parts of your app that get assembled — not built from scratch — such as container base images and open source components. But, remediating software supply chain security issues takes a specialized set of capabilities. You need to use a tool built to scan for vulnerabilities specific to containers and another that identifies open source risk. And both tools need to provide clear remediation steps, such as reverting to the most secure version of the asset.

Floor 3: Infrastructure

To create the best overall approach to application security, you need to think about the structural elements of your app, such as your cloud environment and infrastructure as code (IaC). Which cloud services are you using for storage? Are they appropriately configured with the right permissions and access control, or could they open up your application to risk? And is your IaC written securely, similarly to your source code?

It takes a contextual approach to secure your app’s infrastructure. After all, your cloud ecosystem doesn’t exist in a vacuum. Instead, the way it gets used is heavily based on your IaC.

Bringing all parts of your battle plan together

All these tools are well and good on their own, but we’re calling it a “plan,” not “plans,” for a reason! If you don’t strategize a way to align all of these separate security efforts, you will miss the full context of any found vulnerabilities. Disjointed tools also create a challenge for the developers, security professionals, and cloud architects who need to collaborate on your security efforts.

Snyk approaches this challenge with a centralized platform for five different areas of security: source code, open source, containers, cloud, and IaC. We also provide developer training to put the power into the hands of the people who know all of these areas best: the development teams. Check out more info on our developer security platform. But don’t worry — if you want to take a reading break and put on _Home Alone_instead, we’ll be right here when you return!