Program Levels 5 to 6 – from Improved to Optimized
This is the final post in a series on the Application Program Maturity Curve. In this series, we’ve advocated that Application Security is best pursued as a sustained, policy-driven program that employs proactive, preventative methods to manage software risk. This Maturity Curve model has been validated by Veracode using the real world results of hundreds of organizations. They have learned that the key to positive return on investment is to start small and scale up over time with each milestone. It’s easy to climb a few levels of the curve over a matter of months, not years. Many companies that have followed the Curve’s methodology have achieved an Integrated Program (Level 4) within six to 12 months, even if they started with nothing. One large university had ten development teams onboarded within the first 90 days of the program, training 100 developers. A financial services firm completed baseline security testing of 30 web applications in only three weeks, remediating high severity vulnerabilities within 60 days. Yes, results may vary by organizational size, staffing constraints, budget and a host of other factors specific to your situation. As we explored in our last installment, an Integrated Program scales the organization’s appsec efforts to every software development team by deepening integration with their chosen SDLC and educating them on secure coding practices. Once that process is completed, which could be in as little as three months, you are ready to move to Level 5. 
Improved Program (Level 5)
Level 5: Improved Program
Objective: We’re reducing our risk.
Program: Mitigate risk across portfolio with automation, retesting, analysis and ongoing education.
Time Period: About 6 months. The focus of an Improved Program is deepening centralization and standardization of all program aspects to consistently manage risks. Hallmarks of an Improved Program include:
- Significant reduction and ongoing management of software risk
- Metrics-based decision making driven by program analytics
- Ongoing execution managed through full SDLC integration
- Role-based access to a central software flaw repository
- Ongoing training to improve developer skills
- Automated software re-testing that validates flaw remediation
- At-a-glance compliance status of tested/retested applications
- Program improvements based on trend measurement over time
- Eventual adoption across the full internal application portfolio
Developer education efforts now evolve into professional development programs that deliver ongoing contextual learning matched to each team’s specific project. Analytics can be employed to identify appropriate eLearning courses addressing skill deficiencies, which will in turn lead to more successful compliance results from future application assessments. The Improved Program stage can be completed over a six-month period. Veracode worked with the sixth largest Fortune 500 company to move their appsec program from Level 2 (Blueprint) to Level 5 (Improved) over a period of 24 months. In that time they scaled to 11 development teams globally and went from testing 100 applications every six months to 3000 apps in only eight days. The right mix of people, process and technology will deliver your organization similar results. This customer is now implementing an appsec Center of Excellence, the final level on our Curve.
Optimized Program (Level 6)
Level 6: Optimized Program
Objective: We’ve achieved excellence!
Program: Center of Excellence addressing all internal applications with high ROI.
Time Period: Ongoing.
A bit of knowledge is a powerful thing. There’s no reason to doubt that your organization can attain an industry-leading position in application security. Your Optimized Program will operate as a Center of Excellence that evolves your entire information security organization from a proactive to a pre-emptive position on software security.
At this final stage of securing your internal application portfolio, cross-functional software teams learn to anticipate specific attacks, understand their harmful impacts, and define countermeasures in advance. Your internal developers are now masters of SDLC-driven secure development techniques that promote better, more secure code. The empowered CISO governs policies and procedures across the enterprise to sustain software risk management in the face of evolving compliance mandates. Metrics-driven analysis of key performance indicators returns measurable competitive advantage and ongoing industry innovation. appsec operates as a strategic initiative enjoying ongoing executive sponsorship because of its ability to prove return on investment over time. The mantra of a successful appsec program should be utilization, adoption and expansion. With a rigorous plan and dedicated investment by executive sponsors, any organization can sustain its appsec program at each level along this Maturity Curve. However the methodology demands a continuing drive to make the organization’s efforts systemic, repeatable and ongoing.
Consider consulting appsec professionals for faster progression along the Curve. Sometimes it pays to have a seasoned professional familiar with appsec methodologies in your corner. To achieve strategic objectives faster, your program’s strategy may benefit from the services of a professional software security consultant. These experts can focus on many aspects of process management, and their continued presence will help increase internal knowledge and proficiency. In addition to independent consulting firms, many appsec solution vendors (such as Veracode, shameless plug) offer consulting services to ensure client success with their technologies. Engagement models range from one-off or routine test regimens to long-term strategic relationships which, depending on your available internal resources, may be an attractive option. Veracode’s full range of consulting services can help rapidly scale your efforts. Read more. Read the preceding posts in this series:
- Post 1: About the AppSec Program Maturity Curve
- Post 2: Program Levels 1 to 2 – from Ad-Hoc to Blueprint
- Post 3: Program Levels 3 to 4 – from Baseline to Integrated
