Starting an application security program at our mobile app company was becoming an inevitability. Yet, there were still groups within the company that didn’t see the value or thought starting a full-scale program wasn’t worth the effort. My challenge – in addition to developing a strategy that reduced risk and didn’t slow down the development processes – was to make these adversaries into allies.
Why we started an AppSec program
With security questions coming in from clients purchasing our software, DoubleDutch needed someone to client facing who could speak to the security of our platform. The responsibility fell to me, and I quickly realized we couldn’t continue responding to one-off requests for security attestation. Doing so was significantly slowing down our sales cycle and putting us at a disadvantage with our competitors. We needed to have a way to demonstrate our security posture and the best way to do that was to create an application security program as part of our software development lifecycle and to use this approach to achieve a third-party seal of approval for our security.
I found a partner that could help us create a security program and that could provide this seal of approval in the form of the Veracode VerAfied seal. With a trusted partner in place to help develop our application security strategy, the next big hurdle was getting the internal teams impacted by the program on board with the strategy.
Identifying the relevant teams
While I work on security with almost every department at our company, the two teams I was most focused on was product management and engineering. Each of these teams would be directly impacted by any AppSec policies we created, so I needed them to be on board with what we had planned. I knew this would be a challenge as these teams typically see security as an inhibitor to their progress. Security initiatives slow them down as their timelines are already dedicated to deadlines around produce updates. They are focused on delivering a great product that fulfills the needs of our customers. My goal was to work with the team so that “secure” became part of the definition of “great product”.
Turning adversaries into allies
From my own experience, I know I am less likely to balk at change if I am part of the conversation on how the change should occur. I think that is just human nature. Realizing this, it only made sense to work with the developers and product management rather than dictate how we would go about integrating application security into our development processes. In doing so, I was able to first understand how our development processes worked, and how we came up with product requirements. With this understanding, I was able to work with the team to come up with realistic expectations around security.
Working with other teams to make AppSec a differentiator
Though the product management and development team buy-in were crucial to the program, there were other groups that needed to understand what the benefits of this program would bring to the company.
To start, the management team needed to see the value of the program not just from a security perspective, but also from a business perspective. To demonstrate that need to the management team we explained that many of our customers were asking about our security practices and this line of questioning was slowing down our processes. In Europe, for example, our customers were particularly concerned about the security of their third-party software because they are liable for any breaches, even if they happened due to a vulnerability in vendor software rather than their own. By achieving a VerAfied status from Veracode we’d be able to move beyond this objection.
Once this was understood, the marketing department was even able to use this as a differentiator for our software as our competitors did not have this seal.
Companies are becoming more aware of the threat vulnerabilities in the software they purchase pose. As a software vendor, this means we will continue fielding questions about our security processes and the posture of specific applications. I knew the best way to manage this challenge was to implement a full scale application security program which integrated with our development processes. By working with the development team rather than dictating what they needed to do, made it possible for us to create a full scale program and make security a differentiator for us rather than a sales hurdle.