I’ve been working as a Veracode security program manager since 2013, and have adopted AppSec best practices in those six years that contribute to successful AppSec programs. I started my journey here as a program manager and was fortunate enough to manage and lead some of Veracode’s largest and most complex customer programs. Today, I’m managing a team of program managers.
In this blog, I will walk through four key components to consider when kicking off your program with Veracode. These are all components I’ve implemented when managing large programs, and which have led to AppSec success by helping organizations understand what’s needed in order to have a successful, well-functioning application security program.
The first component is Veracode customer engagement. You might be thinking, “of course, this is a given,” but in some cases I’ve seen (moreso in the past), it’s not. The No. 1 roadblock with the customers I’ve seen struggle has been lack of engagement. An established security team (on the client side) who can act as the liaison between the development organization and Veracode is very important. In some cases, increasingly so with the DevSecOps push, dev management is involved as well.
When I first began my journey with Veracode, security didn’t exist at many organizations, so an engaged team also didn’t exist. Today, when I go on-site and meet with my customers, I frequently thank them. I thank them for their dedication and engagement level, because without the primary, day-to-day contacts, it would be more difficult to get the necessary traction. At Veracode, we say it’s a team effort. Customers who identify teams who are willing and eager to work with their Veracode contacts is the No. 1 step toward success. This is also a team or individual who can act as a Veracode advocate and work with the Veracode SPM to tackle Veracode initiatives and be an internal presence that helps drive and motivate, making security No. 1 so that our clients’ customers are confident they’re using secure products and applications.
My second on the list is cross-functional communication. It is imperative for a program to have cross-functional communication between the security team and main teams involved, including executives and the development organization. Communicating policy mandates, remediation plans, and automation plans across all functions, including developers and DevOps teams, early on in the program, is going to put a program ahead. Understanding what the best communication method is in order to circulate important plans across teams, whether it’s through email or a newsletter, and who should be delivering it, should be well thought out. Veracode Program Management acts as an extension of our customers’ teams and, therefore, can help with messaging and delivery.
Ultimately, communication will prevent confusion and promote awareness, which is important to the health of a program. When a developer is introduced to security scanning requirements or remediation plans later in the development lifecycle, it can affect release dates. The team will be in a much better position if they know early on what they’re responsible for and when, and any consequences if they do not incorporate security into their SDLC.
Next is application inventory, which is another major component. This is a list of your organization’s high-risk applications that are most critical to the business and could impact company brand or reputation if breached, OR application inventory could be all applications in the organization. If you do not know this information early on, it could cause delays when kicking off a program.
We recommend companies scan all their applications. However, many organizations start their programs with a baseline of only their high-risk applications. If you fall into this category, having that list ready and sharing it with your Veracode Security Program Manager will keep everyone in alignment. Your SPM will provide a list of the important information needed when gathering application inventory information, and prior to setting up application profiles in the Veracode platform.
Finally, once you’ve identified your team, have a communication plan in place, and have created an application inventory, the next step is to map out program strategy. This is where your Veracode SPM will have a discovery session with you and your team to discuss the future of the program, and obtain key information to ensure success. He or she will also review the critical activities that need to take place in the security program to keep it on track. Additionally, the SPM will review measureable metrics with you and discuss what the key metrics are to the organization/teams in order to track program success down the road. The SPM will handle the operational effort to get you there and report back regularly to ensure that you are achieving your organizational goals through those metrics.
The SPM will ask several questions to help develop and kick off your program, including:
- Details about your SDLC environment, development tools, and systems the development teams are using. This is imperative as the push to shift left and toward DevSecOps is a major focus for many organizations today. The end goal is to fully automate your application security program, because automating and integrating security into your CI/CD pipeline will make for a seamless program that will save you and your developers time and money.
- Identifying development teams and setting onboarding schedules. Training users on how to use the Veracode platform will help immensely with developer adoption and awareness. Veracode provides training and always offers flexible schedules to accommodate developers globally.
- Establishing a remediation process and workflow. The end goal is to bring down those very high and high flaws to get you closer to being compliant with your organization’s policies and standards.
Lastly, we will have discussions around automation and integration into your CI/CD pipeline. As mentioned, this will save time for developers by streamlining the scanning process through automation and having them consume Veracode scan results in their environment, rather than manually running scans and reviewing results in the UI.
Whether you’re an existing customer or potential customer, if all of these items are checked off at the beginning, then you will be on the right path to kick-starting a robust application security program that everyone at your organization will be onboard with.
Get more details on maturing your application security program in our guide, Everything You Need to Know About Maturing Your Application Security Program.
And you can always get valuable tips and advice on managing AppSec from other Veracode customers in our Community.