Over the past several weeks, Veracode Director of Marketing Fergal Glynn has been authoring a series on application security for security news blog Threatpost. Titled “A CISO’s Guide to Application security,” the five-part series focuses on defining application security, outlining the elements of a comprehensive appsec program, educating about application and software related risks, determining the true cost of a data breach, and providing recommendations to CISOs for managing enterprise-level appsec. Now that the series has come to a conclusion we have highlighted each post below along with links to the full articles.
Part 1: Defining AppSec - Fergal's first post of the series focuses on the basics of application security. He introduces some must know terms, outlines the three main components to an appsec program, and lays a simple roadmap for companies to follow in their efforts to reduce and prevent application and software risks. Read the full post for more details on appsec fundamentals and Fergal's organizational appsec roadmap.
Part 2: The Growing Threat to Applications - While the first post of the series focused on the "what" of appsec, this next segment concerns the "why." As Fergal explains, there are three layers that a company must secure in order to be safe from data breaches or theft: network, hardware, and software. Most organizations have already taken measures to protect their networks and hardware, but in many cases security measures that protect applications and software are lacking or nonexistent. As the frequency and severity of attacks increases so does the implementation of mandates from industry and government regulatory bodies. Read the full post for some alarming statistics on breaches as well as more information on compliance with security regulations.
Part 3: Toward an AppSec Center of Excellence - The third post of the series finds Fergal taking a closer look at how organizations are implementing appsec programs. Enterprise-level approaches can generally be categorized into three different stages: Ad Hoc, Baseline Program, and Advanced Program. The Ad Hoc stage is characterized by a reactive approach to security rather than a proactive or preventative approach. The Baseline Program Stage is next, marked by a more farsighted take on security in which companies begin to invest in basic preventative measures. Finally there is the Advanced Program, an appsec "Center of Excellence" where security measures are built-in to every step of the software development life cycle. Read the full post for more details on the components of each appsec program/stage.
Part 4: Weighing AppSec Technology Options - Post number four goes into detail on the different options organizations have for application security technologies. Fergal offers a pretty extensive list of the common products and services that companies are using in their application security programs as well as analysis of the effectiveness of each. The options discussed include penetration testing, static and dynamic scanning, web application firewalls, appsec consulting services, and more. Read the post for the full list and analysis.
Part 5: Justifying an Investment in AppSec - The final segment in this series concentrates on gauging the return on investment achievable from a comprehensive appsec program and how organizations can make a case for investing in appsec. The post starts with an alarming statistic: today, businesses' expenditure on acquiring software is 300 times greater than what they pay to ensure that it is secure (source: Veracode Blog using Datamonitor/451Group data). However, when the total cost of a data breach is factored in, the need for a sound appsec program is clear. Fergal offers some excellent suggestions for how organizations can predict what their losses would be in the event of a breach and how IT spend models can be updated to make scalable appsec investment a higher priority. Read the full post for more details.