Application security is unlike other forms of IT security in several ways. One of the reasons it is so unique, and at times difficult, is because it is a project that never ends. With other forms of security, you implement a great solution, create your rules, and then monitor and tweak when necessary. These types of security don’t typically require creating a new set of protocols or a program, as application security does.
Another area that makes application security unique is the need to get buy-in from multiple stakeholder groups in your company. With network security or endpoint security, you’ll need budget approval from the higher-ups, but for the most part, the IT/security teams can create strong policies and protocols in a silo. Not so with application security; software has become such an integral part of business that an AppSec program impacts many groups at a deeper level than other types of security. Anyone who builds, buys or downloads software is going to be impacted by your application security program. And if they do not understand the value the program brings to the company, or if the program is too intrusive or makes their job too difficult, they will not comply with your well thought-out rules.
This is why working with stakeholders when creating an application security program is a major key to success. You need to understand how the program is going to affect the different teams, and they need to understand how their actions can directly result in the success or failure of this important initiative.
Who are the groups you need to consider when creating a program? How can you best work with them to ensure the success of your program? What are their main concerns? “Cracking the Code on Application Security Buy-in” provides answers to these questions as well as helpful hints on making your collaborations a success.