AWS re:Invent 2025 - From Code to Cloud: Building AppSec Programs with AWS (SEC222)

Building AppSec Programs with AWS

Understanding Application Security

• Application security is a set of people, processes, and technologies used to evaluate the security properties of software during all phases of the software development lifecycle (SDLC).
• AWS views application security through two key dimensions:
  1. Distributed ownership: Everyone at AWS who builds and operates services is responsible for the security of those services.
  2. Shift left: Integrating good security practices as early as possible in the SDLC.
• Implementing application security best practices early on can reduce costs, reduce risk, and enable faster delivery of features and capabilities.

Key Principles of AppSec at AWS

1. Set Clear Expectations: Understand the organization's risk tolerance and define security requirements, policies, and standards.
2. Empower Developers: Provide robust training and communities to enable developers to build securely.
3. Automate: Use automation to consistently apply and enforce security requirements across the SDLC.
4. Measure: Incessantly measure security metrics to track risk posture and drive continuous improvement.
5. Organizational Buy-in: Ensure security is a top priority across the entire organization.
6. Make it Easy: Meet developers where they are and provide the "easy button" for security tasks.

AppSec Program Roadmap

1. Planning:

   • Stakeholder analysis: Identify, engage, and understand stakeholders, their business objectives, and their security concerns.
   • Establish clear goals and metrics to measure success.

2. Preparation:

   • Gain visibility into the application portfolio by conducting code scanning and software composition analysis.
   • Define and communicate security standards, requirements, and policies.
   • Empower developers by training them on threat modeling.

3. Execution:

   • Integrate threat modeling as a standard part of the design process.
   • Implement security testing in development pipelines.
   • Use a defense-in-depth approach to apply security controls.

4. Scaling:

   • Identify systemic issues and build secure design patterns and reusable components.
   • Empower developers by providing "golden path" security solutions.
   • Continuously seek feedback from stakeholders to improve the AppSec program.

Practical Examples and Demonstrations

1. Threat Modeling:

   • Leverage frameworks like the "Four-Question" approach to identify risks early in the SDLC.
   • Use tools like Threat Composer to document and automate the threat modeling process.

2. Code Scanning:

   • Integrate security scanning into the developer's IDE using AWS CodeGuru.
   • Leverage AWS CodeGuru's "steering documents" and agents to define and enforce security standards.

3. Vulnerability Management:

   • Use AWS Inspector to automatically scan code repositories for vulnerabilities and misconfigurations.
   • Provide a centralized view of security issues across the application portfolio.

Key Takeaways

• Make security easy and integrated for developers by meeting them where they are in the SDLC.
• Empower developers to own security by providing training, tools, and reusable secure components.
• Leverage automation and centralized visibility to scale the AppSec program across the organization.
• Continuously engage stakeholders, measure progress, and iterate to improve the AppSec program over time.