With the wrong approach, your AppSec solution could go the way of your treadmill – a great piece of equipment, but not really producing results. Keep in mind that technology is only one part of an AppSec solution, and a technology-focused AppSec plan will end up like your technology-focused New Year’s resolution: a dust-coated treadmill with clothes draped all over it. The equipment is only one part of the equation; you’ll only get fit if you have a plan. Similarly, you can use your shiny new AppSec solution to scan apps all day, but without considering the people and process aspects, your program will not be effective.

Here are three things you should think about before scanning a single app:

How are you going to fix what you find?

Your scan results don’t mean much if you don’t fix anything they uncover. But just handing developers a long list of vulnerabilities is, at best, ineffective -- at worst, a showstopper. It’s like the “buy a treadmill and run for an hour every day” fitness plan. Fancy equipment + unattainable goals = new clothes hanger in the basement.

Consider the resources and expertise available to tackle AppSec, and fit your policy to their bandwidth. Setting the bar too high will only lead to developers finding workarounds, or just ignoring it. Don’t try to do too much too fast, and don’t over-complicate the issue. Keep things simple and manageable, and work to expand over time.

What are you going to fix?

“Everything” is not a reasonable answer – for your AppSec plan or workout plan. Focus on the priorities and best ways to start moving the needle in the right direction – in both cases. Get a handle on your application vulnerabilities by considering:

  • Standard lists of high-risk vulnerabilities: A policy that focuses on standards like the OWASP Top 10 or SANS 25 is a good place to start. However, don’t overlook …
  • What is high risk for your particular organization: Not every flaw has a high chance of exploit, and every industry and business has unique levels and types of risk. What are your particular high-risk vulnerabilities?
  • Lessening risk vs. eliminating it: When do you remediate vulnerabilities, and when do you just mitigate them? All vulnerabilities aren’t created equal; consider when to eliminate a threat, lower the risk of a threat or accept the risk of a threat. For example, if a static scan finds a SQL injection flaw in an application – but the tainted data source is a database that has strict controls and doesn’t take user input, this flaw might warrant a “mitigated by design” designation, rather than a “remediate” requirement.
  • Input from other departments: Your priorities might not match those of other departments in your organization that play a role in application development or procurement. And not considering these other departments will, again, lead to employees creating workarounds to bypass your policy. In a best-practice scenario, line-of-business managers and cross-functional teams spanning legal, procurement, DevOps and risk compliance help weigh criteria, goals, risks and various other factors to develop a coherent and workable approach.

How are you going to measure your success?

You need to see how many pounds and inches you’ve lost to see if your workout plan is working, and to stay motivated to keep at it. You also need metrics to assess the effectiveness of your AppSec plan, and to keep executives “motivated” to support and fund your program.

Measure your AppSec results through a set of metrics and key performance indicators (KPIs), such as compliance, flaw prevalence, fix rates, industry standards and business- and goal-specific performance.

In the end, you need a well thought-out AppSec policy, but just as no two fitness routines are alike, every organization’s AppSec policy will be unique. Need help creating yours? Check out our new guide, Policy Matters: How to Build a Robust Application Security Governance Framework.


About Suzanne Ciccone

Suzanne is a marketing writer at Veracode. In this role, she’s part of a team working to shed light on AppSec through compelling and clear content. Suzanne has been a professional editor and writer for many years, for companies including Forrester Research, Cengage Learning and EBSCO Information Services.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.