Application security is an emerging and critical aspect of a security program; however, all AppSec attitudes are not created equal. Unlike other security initiatives, application security affects a lot of different people in your organization – and in different ways. A developer’s attitude toward and concerns about an application security program will not be the same as a member of the legal department, and a CTO’s will be completely different.
Understanding the different priorities of the groups that will be affected by AppSec, and what they are going to need from the initiative, will go a long way toward AppSec success.
Here’s what each team cares about and how AppSec affects those priorities.
Beyond the security team, AppSec affects developers more than any other individuals in your organization. Developers want their code to be secure, but not at the expense of their deadlines. Application security can’t be a development roadblock, or it will simply be overlooked or bypassed. Application security solutions should work the way developers work, and developers should have a voice in the planning of any application security program.
What’s the ROI? Will it save us money, time, make us more efficient? Will it reduce our risk? These are the questions the C-suite will want answered around AppSec. Because of their focus on the health of the business and the bottom line, this group doesn’t want to hear about the technology of the solution, but about the business impacts. Talk to them about the numbers surrounding AppSec, and you’ll increase your chances of getting their support.
Make your legal team an AppSec helper, rather than hindrance. If you’re a software vendor, or if you are including third-party applications in your AppSec program, the legal team will want to make sure the words are right – whether it’s a contract for applications you are purchasing, or a contract for software you are selling. The legal team will need to be part of any contract negotiation to ensure your requests of vendors are legal, and your practices for testing third-party applications do not breach your customer contract. In addition, the legal team will help you craft language around your own security posture in situations where you are the software vendor.
Marketing is all about outreach, which today means a heavy use of new technology and tools to connect and share information with prospects and customers. Marketing departments are spinning up websites and landing pages, purchasing and creating mobile apps, hiring third-party contractors to help with automation and purchasing applications from third-party vendors. But introducing all this technology also frequently means they are introducing lots of risk. Make sure marketing is aware of application security, corporate AppSec policies and the implications of their innovations.
Do you have a plan for working with the various groups in your organization on AppSec? Get more details with our guide, Joining Forces: Why Your Application Security Initiative Needs Stakeholder Buy-In.