Application security does not get the attention it deserves. So, when you finally get the green light to start an application security program, the first thing you should be thinking is “how do I make sure my boss and other stakeholders recognize our successes so I can expand the program”. And when a business invests in something as complex as AppSec and which touches so many groups, you are going to be asked to demonstrate the value the program is bringing to the business. This is why it is crucial for you to structure your program in such a way that you will be able to quickly show progress in risk reduction.
“Quick wins” as we call them, aren’t easy to come by in application security and in security in general. In the past security was considered successful if “nothing happened”. But “we didn’t get breached” isn’t a metric, and it certainly won’t help you get more budget to expand your program. Instead, you need to show how risk was reduced and how your program brought value to the organization.
One way to demonstrate a rapid return on investment is to gain visibility into your web application perimeter. You see most organizations don’t even know how many websites they have, and if you don’t have visibility in your perimeter you can bet there are holes in your security. One global manufacturer we worked with found they had over 30,000 web applications. They were able to quickly reduce risk by shutting down the sites they were not using or that were outdated. From there the company worked with Veracode to assess the security of the remaining sites. All told, they reduced risk by 79 percent in less than three months and were able to use this stat to help expand the program to ensure they maintained complete visibility into their web perimeter and continue assessing for security.
For most security programs a quick win is hard to find. However, you can demonstrate results quickly by setting goals and prioritizing the projects that can rapidly reduce risk.