It doesn't take an army to reduce appsec risk - here are five ways you can get more out of a smaller team.
We all know there is a shortage of skilled security professionals in the current marketplace, particularly as many organisations move to address their risk in the application security space. Application security is a higher priority for C-Level Executives these days. This is partly due to the technical strategies they choose to adopt - with a need to scale and grow their application security programs as their organization's application development scales and accelerates. But let’s face it, for some it is because of the external pressure coming from regulators. This is becoming evident across industries and geographies. So, how should an Application Security Team respond?
Adding more skilled security professionals to an application security program will undoubtedly help to grow and expand a program – certainly if headcount is your measure of success! But, by considering five key points, it’s possible to achieve more with application security without the need to multiply your headcount with overhead all that it entails – recruiting, training, salaries, and office space to name but a few.
The Mission - Clear Policies and Mandates
As with any company-wide initiative, it’s important to ensure all members of an organisation are aware of what is required of them, alongside visibility of a clear policy which can be measured against.
By ensuring senior stakeholders in your organisation are advocating your Application Security initiatives, and the expectations of compliance are transparent you can ensure Application Security practices are adopted and adhered to. Also, when communicating these always tie it back to why it is important!
These elements combine to create a focus for Application Security that is key to ensure all team members in the organisation are pulling in the same direction.
The People - Training and Support
Enabling and maximising the productivity from your staff is key in any operations, and the same is true be for Application Security. From security awareness for all staff to detailed language specific secure code training for developers, ensuring the existing team has sufficient training to understand the key concepts and latest trends in Application Security will enable them to address the risks being identified. Also, ensuring that Developers and Project Teams have the necessary support from Security will allow for application security to be a consideration in any application development, not an afterthought.
The Operation - Secure SDLC
Security testing should be introduced as early as possible into the SDLC. This enables the teams to undertake Application Security testing alongside their workflow and development efforts. This enhancement to the SDLC value chain will allow for the final deliverable to be more secure, rather than having to rework a ‘ready to deploy’ application to address security risks, burning more development time and project costs. They will thank you in the end!
The Execution - Defined Processes and Integration
Taking the time to clearly define and document processes and procedures around Application Security will help to drive efficiencies in security assessment activities. In addition to this, the ability to then leverage defined processes and workflows with integration options will link Application Security into existing efforts. This minimises the impact and time required to include Application Security assessments ranging from IDE plug-ins to APIs feeding into vulnerability management systems for monitoring of flaws and vulnerabilities.
The Intelligence - Data Driven Decisions
And finally, the value of leveraging data is key to informing your strategy particularly where investments should be made. Through the analysis of Application Security data, organisations can review and measure adoption of processes across the organisation, performance by business units, and identify the root cause of vulnerabilities in applications as well as assessing coverage across the entire organisation. This information lets you focus what resources are available into the areas where you can receive the maximum impact/benefit.
In essence, with the right planning, technology and execution you can win your battles with a SWAT team not an army!