TechTarget: 5 principles for AppSec program maturity

On October 4, 2021, NetSPI Managing Director Nabil Hannan was featured as a guest contributor for TechTarget:

Software and applications are present in everything from consumer goods to medical devices to submarines. Many organizations are evaluating their application security, or AppSec, to ensure their strategies are mature and not vulnerable to cyber attacks.

According to Forrester Research, applications remain a top cause of external breaches. The prevalence of open source, APIs and containers only adds to the complexity of the problem.

Most organizations struggle to understand how to approach AppSec program maturity. Given many organizations have switched from Waterfall to Agile in their software development lifecycle (SDLC), practitioners are asking, “How do we continue to evolve our AppSec programs?”

Roadmaps can help navigate these issues. Organizations looking to develop mature programs need to be mindful of inherent team biases. For example, if the AppSec team comes from a pen testing background, the program may lean toward a bias. If the team is experienced in code review, then bias may shine through, too. While both disciplines are important and should be a part of an AppSec program, the experiences may cause bias when a more objective approach is needed.

Many mature AppSec frameworks exist, but a one-size-fits-all approach is not going to work. Every organization has unique needs and objectives around thresholds, risk appetite and budgets. This is largely why prescriptive frameworks, such as Microsoft Security Development Lifecycle, Software Security Touchpoints or Open Software Assurance Maturity Model, are not the answer. It’s best to tailor roadmaps on the specific needs and objectives of a particular organization.

5 principles for implementing an AppSec program

These five tenets can serve as a guide for implementing a mature AppSec program.

  1. Make sure people and culture drive success
  2. Insist on governance in the SDLC
  3. Strive for frictionless processes
  4. Employ risk-based pen testing
  5. Determine when to use automation in vulnerability discovery

Read Nabil’s 5 principles for AppSec program maturity on TechTarget’s SearchSecurity:

NetSPI's Karl Fosaaen discovered and disclosed a critical misconfiguration in Microsoft Azure.
Learn more about CVE-2021-42306: CredManifest, its impact, and remediation.