“Our developers are just too busy to worry about securing their applications.” If only I received a dollar for every time I have heard a CISO, CIO or Application Security Manager say these exact words when attempting to develop an appsec program. My name is Pejman Pourmousa and I am a Customer Success Manager at Veracode. I have been working in Professional Services for years. At Veracode, I advise my clients on how to be successful with the Veracode application security testing solutions they purchase. I have decided to start a series of posts based on quotes that trigger “reactionary failure” in application security programs. Throughout the series I’ll cover such topics as application security scorecarding, governance, polices, mandates and more. In this post we'll focus on what I believe is a must have for a successful security program.
Developer Engagement, Adoption and Utilization
While working with several customers (large and small) it quickly became evident to me that the most successful appsec programs are driven by developers and not by appsec groups. I'm not saying that appsec groups can’t make their programs successful but they must know how to use services such as Veracode properly to enable development communities within their companies to embrace appsec. Companies that only utilize Veracode services as a tool for their application security groups are typically not successful. This practice only adds another road block in the SDLC. Developers have little to no interest in handing off their projects to application security teams to analyze their code. This process only drives down the adoption of an appsec program. With this approach an appsec team will typically see about 1-5% of apps that are actually being developed in their company – as most developers will dodge this road block. Developers will not actively seek the appsec group for advice or help on securing their applications. On the other hand, if the appsec group provides developers with a self service program (not tool) around application security and enables developers to analyze and fix their applications on their own (in their SDLC), developers will increase their adoption and utilization. The best appsec programs I have seen give developers full enablement to scan, test and fix their applications autonomously during development (prior to their production releases). Imagine thousands of developers with the power to analyze and fix their applications after only a 1 hour training program on how to use Veracode for scanning. Even if only half of your developers start scanning and remediating their flaws, your application security posture will improve drastically. This is a much more telling story than an application security team of 10 taking in some applications that developers “may” submit for analyzing with a tool they purchased. In fact, one customer I work with hands out awards for the development teams with the most remediation completed on their application security flaws. This drives developers to spread the word and push for security scanning/remediation. This is easily tracked by the appsec team as all developers use one central platform (Veracode) for scanning, remediating and reporting. This leads nicely into one of my next blog posts on scorecarding and governance of development teams.
5 Takeaways for a Successful AppSec Program
- Application security should be a program, not a “tool.”
- Without the engagement of the application development team, there is no appsec program.
- Centralized scanning in an appsec group does not scale or appeal to others, it must be a self service for all to adopt.
- Centralization of reporting is key in tracking a company’s security posture.
- If developers adopt and drive an appsec program, then the appsec team looks like heroes!