With the wrong approach, your AppSec solution could go the way of your treadmill – a great piece of equipment, but not really producing results. Keep in mind that technology is only one part of an AppSec solution, and a technology-focused AppSec plan will end up like your technology-focused New Year’s resolution: a dust-coated treadmill with clothes draped all over it. The equipment is only one part of the equation; you’ll only get fit if you have a plan. Similarly, you can use your shiny new AppSec solution to scan apps all day, but without considering the people and process aspects, your program will not be effective.
Here are three things you should think about before scanning a single app:
Your scan results don’t mean much if you don’t fix anything they uncover. But just handing developers a long list of vulnerabilities is, at best, ineffective -- at worst, a showstopper. It’s like the “buy a treadmill and run for an hour every day” fitness plan. Fancy equipment + unattainable goals = new clothes hanger in the basement.
Consider the resources and expertise available to tackle AppSec, and fit your policy to their bandwidth. Setting the bar too high will only lead to developers finding workarounds, or just ignoring it. Don’t try to do too much too fast, and don’t over-complicate the issue. Keep things simple and manageable, and work to expand over time.
“Everything” is not a reasonable answer – for your AppSec plan or workout plan. Focus on the priorities and best ways to start moving the needle in the right direction – in both cases. Get a handle on your application vulnerabilities by considering:
You need to see how many pounds and inches you’ve lost to see if your workout plan is working, and to stay motivated to keep at it. You also need metrics to assess the effectiveness of your AppSec plan, and to keep executives “motivated” to support and fund your program.
Measure your AppSec results through a set of metrics and key performance indicators (KPIs), such as compliance, flaw prevalence, fix rates, industry standards and business- and goal-specific performance.
In the end, you need a well thought-out AppSec policy, but just as no two fitness routines are alike, every organization’s AppSec policy will be unique. Need help creating yours? Check out our new guide, Policy Matters: How to Build a Robust Application Security Governance Framework.