Building an application security (AppSec) program that stays current is no easy feat. Add to that the ubiquity of software and applications in everything from consumer goods to medical devices to submarines.There is an increasingly urgent need for organizations to take another look at their AppSec strategies to ensure they are not left vulnerable to cyberattacks and continuously measure and improve their program maturity.
Heads up: Building a world-class, mature AppSec security program is something that needs to be accomplished in phases. It will not happen overnight. A great deal of foundational work needs to be in place before an organization can achieve positive results.
When analyzing AppSec programs, we often find a number of sizable gaps in how vulnerabilities are managed as well as opportunities for improvement, especially related to security processes around the software development lifecycle (SDLC). Addressing these issues and harmonizing the various security processes will help give organizations the capability and vision to identify, track, and remediate vulnerabilities more efficiently, eventually elevating the organization to the level of maturity it seeks.
Following is a checklist to help organizations think through the issues around AppSec maturity to build a program that produces valuable security results.
Ensure Your Security Practices are Current
Given how rapidly application development techniques and methodologies are transforming – and the rate at which software is developed today – companies need to ensure that their security practices are staying current with the ever-changing pressures around compliance/governance, software deployment, DevOps, SDLC, and training. Understanding the current level of maturity and developing a data-driven plan to evolve your AppSec program is key to the success of an organization’s security efforts.
Leverage Real World Data to Benchmark Your AppSec Program
Put a stake in the ground and objectively determine the status of your AppSec program. Comparing your organization’s program with real world data across multiple business verticals will help augment your efforts and determine areas that require focus. Base your security decision on your specific business needs andlessons learned from other mature programs in your industry.
Put Roadmaps in Place to Prioritize and Allocate Resources
The AppSec and software engineering teams within an organization should constantly partner to evolve and improve the AppSec posture for all software assets. This collaboration will help determine how to improve upon current efforts while uncovering additional activities that should be adopted to meet business goals. Putting in place a formalized roadmap for this collaboration allows an organization to better prioritize its business initiatives, budgets, and resource allocation while reducing the overall AppSec risk faced by the organization.
Roadmap stipulation: Use caution and watch for bias. Organizations that are serious about developing a mature program need to be mindful that there may be inherent team biases based on familiarity. For example, if the AppSec team comes from a penetration testing background, the program may lean toward a pentesting bias. Is the team’s experience in code review? Then that bias may shine through. While both disciplines are important and should be a part of an AppSec program, my point is that there may be bias when a more objective approach is needed.
Also understand that there are many frameworks to mature application security. A one-size-fits-all approach is not going to work because every organization has unique needs and objectives around thresholds, risk appetite, and budget availability.
Insist on Governance in the SDLC
Setting up governance within the SDLC is critical. Why? If security teams don’t define what they are trying to accomplish or what security looks like within the SDLC process, it leaves too much ambiguity for who is accountable. Creating governance around SDLC will also help define where an organization needs to build in testing, both manual and automated, from a vulnerability discovery perspective.
Track Your Progress; Benchmark Your Efforts Against Your Peers
Benchmarking your AppSec program by leveraging industry standard frameworks allows you to measure AppSec program maturity consistently and objectively, and make informed decisions based on your business objectives.
Benchmarking scorecards, supported with visuals, enable high-bandwidth conversations with your organization’s leadership team and provides an opportunity to showcase the positive influence that your AppSec program is having on the organization’s business goals. Additionally, you can leverage data from your benchmarking efforts to compare your efforts to others within your peer vertical group, and other business verticals that are also leveraging the same industry standard AppSec framework.
Employ Risk-Based Application Penetration Testing
When looking to mature an AppSec program, organizations should view application penetration testing as a gate validating that everything implemented in the SDLC is working, not just a discovery of vulnerabilities. Pentesting services should be the method used to determine the effectiveness of your secure SDLC and all the automated and manual processes implemented. Oftentimes, organizations will approach this concept in the reverse by starting with penetration testing.
Additionally, having a dynamic pentesting platform that offers data points and risk scores aids in objectively identifying where AppSec is immature and what needs to be prioritized to remediate vulnerabilities that present the greatest risk.
Determine When to Use Automation in Vulnerability Discovery
To build an optimum, mature AppSec program, it is important to determine when it is best to use automation in vulnerability discovery and when to employ manual penetration testing. In short, an effective AppSec program includes the ability to manage and employ threat modeling, manual penetration testing, and secure code review, augmented with automated vulnerability discovery tools that are deployed at various phases of the SDLC process.
For example, automatic testing like dynamic scanning, static analysis, and interactive security testing may be sufficient day to day, but manual penetration testing is warranted when significant architectural changes or technology upgrades to software systems are made. Finding balance in vulnerability discovery is important. It isn’t an either/or.
Vulnerabilities found in production cost roughly $7,600 to fix – 9,500% more than the $80 it would cost to fix those same vulnerabilities when they are detected early in the development process.
– WhiteSource reporting on a joint study by IBM and Ponemon Institute
Insist on Metrics for Proper Data and Analysis
Consistent, timely, and accurate DevSecOps data measurements are important feedback for any organization to capture and analyze as it looks to govern development operations. Quality metrics (numbers with analysis and meaning in context) can ensure visibility, accountability, and management of software security initiatives. Proper application security program metrics allow you to articulate the AppSec program’s value to your organization’s leadership. The benefit? Being able to properly evangelize the value of your AppSec effortsmakes it easier to procure funding and improve the security risk posture of your organization. Additionally, understanding the data at hand to be able to answer contextualized business questions allow for better strategic decision making.
Maturity Attained: Be an Ambassador
What does an organization do once it determines its AppSec program is mature? First, decide if a mature program is a long-term goal. Obviously, security always needs to be a priority, but ongoing maturity programming can be expensive and time consuming. Secondly, there will undoubtedly always be areas that require more attention. While addressing them, I encourage organizations to share their program successes with the broader market. Become a leader and use AppSec maturity as a differentiator that can drive customer and team member goodwill, brand differentiation, and market leadership.