About the Appsec Program Maturity Curve – a good model to follow…
As information security professionals, we must pursue any opportunity to evolve our approach to application security. Most enterprises with in-house development teams do some kind of ad-hoc appsec testing, usually during the QA process. But maybe you think it’s time to do more than that, to get a bit more proactive in confronting the potential threats the organization faces from weak software security. Luckily there is a proven appsec program maturity curve that can help mature your existing effort, following a well-traveled road to overcoming common challenges along the way. Here’s the really good news: it’s easy to climb a few levels of the curve over a matter of months, not years.
Securing your software is a strategy, not a tactic.
Maybe your organization’s approach is not as proactive as it could be. All too often organizations wait for a data breach incident or compliance audit as the triggering event for appsec projects and investment. Veracode found in a recent study that 70% of CIOs already understand the need for application security. However, the majority of them still will not move to increase their investment in securing the software that runs their business without a triggering event, such as a data breach. This position begs a simple question: Why wait for something bad to happen? CIOs clearly understand the importance of securing the software supply chain, but have mindsets or limitations that result in inertia and inaction. That’s why understanding some simple ways to move forward, in incremental steps of maturity, is so important. To start, you should be able to recognize at which stage of appsec maturity your particular organization is, and be able to outline a concrete path to get yourselves to the next level and beyond. 
The Appsec Program Maturity Curve
The appsec program maturity curve been validated by Veracode using the real world results of hundreds of organizations who have followed its path to success with software security. Yes, results may vary by organizational size, staffing constraints, budget and a host of other factors specific to your situation. Still, there is much to be learned from peer experience. The key to positive return on investment over time is to start small and scale up with each milestone. This maturity model has six levels. If your organization is already pursuing an ad-hoc testing approach to manage the security of your software, you are not alone. Most organizations who understand the fundamental importance of appsec start here. However, as the model demonstrates, there are five program stages which are more advanced. While there are serious limitations to an ad hoc “program” (let’s use this term loosely), it is still fundamentally better than those whose appsec approach is “Do Nothing”.
![ad-hoc-application-security-program]()
Level 1: Ad-hoc Program
Level 1: Ad-hoc ProgramObjective: What are we doing?
Program: Inconsistent testing of applications with poor visibility and no development support.
Time Period: Doomed to repeat or mercifully short… you decide.
Level 2 Blueprint Program
Objective: We know what we need to do.
Program: The foundation of a real program, including an app inventory and governing policy.
Time Period: As quick as 30 days.
Level 3: Baseline Program
Objective: We’re rolling it out.
Program: Test all critical apps, scorecards results and onboard development teams.
Time Period: As little as 60 days.
Level 4: Integrated Program
Objective: We’re going big!
Program: Sustainable program scaled across enterprise with full SDLC integration.
Time Period: About 3 months.
Level 5: Improved Program
Objective: We’re reducing our risk.
Program: Mitigate risk across portfolio with automation, retesting, analysis and ongoing education.
Time Period: About 6 months.
Level 6: Optimized Program
Objective: We’ve achieved excellence!
Program: Center of Excellence addressing all internal applications with high ROI.
Time Period: Ongoing.
As sensitive data continues to migrate out of the organization – whether to the cloud or the tablet – it’s imperative that information security professionals continue to champion a shift in organizational attitudes and priorities toward Application Security. Let’s move our organizations along the curve from proactivity to pre-emption. Maybe it’s time to evolve your organization’s approach to appsec to adapt and survive in a hostile world. The forthcoming posts in this series will examine the common trajectory others have followed and describe a methodology for success.
