Skip to main content
November 28, 2016

Building Your Application Security Program: The People Problem

As applications play an increasingly important role in business operations, your application landscape also gets increasingly complex. And it’s not going to get simpler anytime soon. The nature of the data applications manage means application security has become critical, but the nature of the application landscape means application security requires more than just implementing a tool. Those who are truly reducing application risks are approaching AppSec as a program, not a tool, and considering not just the technology aspect of the initiative, but the people and process aspects as well.

We typically see AppSec programs fail for two reasons: Lack of experience in running an application security program, and the inability to hire enough qualified staff to run application security tools at scale. Very few application security managers have run large programs before and have the experience to predict ramp up and adoption. The global shortage of security professionals also makes it difficult to hire enough people to coordinate between development and security teams.

In a report titled, “Hackers Wanted: An Examination of the Cybersecurity Labor Market,” the RAND Corporation states that: “It’s even harder to find senior resources who have the combination of security and business skills to drive a successful application security program: the estimated demand is 10 to 30 times larger than the available supply for security program managers.”

And according to LinkedIn research, there is a labor shortfall for infosec professionals of nearly 42 percent.

What happens to your application security program without enough or the right staff? The negative impacts include:

  • Delayed software releases because security issues are not getting fixed in time
  • Ever increasing technical debt because found flaws are not fixed
  • Developers are frustrated, creating friction with the security team
  • AppSec issues become marginalized due to perceived inability to do anything about it
  • Increasing information security risk exposure

Don’t go it alone: Extend your team with program management experienced in application security

Bridge the security skills gap, and give your AppSec initiative the best chance to succeed by supplementing your team with application security experts. We’ve seen the difference this support makes: Veracode customers who work with our security program managers grow their application coverage by 25 percent each year, decrease their time to deployment and demonstrate better vulnerability detection and remediation metrics. Application security consultants get these results because they know from experience which activities are critical for success, what metrics to track, and how to optimize processes.

We aren’t suggesting you replace your internal team with outside consultants; rather, that you free your team to focus on managing risk by taking these tasks of their plates:

  • Addressing the blocking and tackling of onboarding
  • Application security program management
  • Reporting
  • Identifying and addressing barriers to success
  • Work with development teams to ensure they are finding and remediating vulnerabilities

Comply with regulations

Working with application security consultants also ups your chances of making the auditors happy. As it becomes clear that application security requires more than just a technology solution, several regulations are adding program management to their list of requirements. For instance:

  • NIST 800-53 lists Security Program Management as part of its control framework (federal sector).
  • The HITRUST Cybersecurity Framework (HCF) calls out information security Security Program Management as its first control (healthcare).
  • PCI-DSS 3.2 requires validation that PCI compliance is integrated into business-as-usual activities, effectively requiring establishment of a program (financial services, retail).

Set yourself up for success

Web and mobile applications now account for more than a third of data breaches, making application security a critical part of securing your organization. But make sure your investment in application security pays off. With the security skills gap, trying to manage a program 100 percent internally will not yield optimal results. Take a cue from those who are seeing AppSec success, and work with an expert to give your program the best chance to succeed.

Get started by hearing what the former manager of application security at a global investment bank has to say. Check out our new eBook, 5 Lessons From an Application Security Pro.

Suzanne is part of the content team at Veracode, working to create resources that shed light on AppSec problems and solutions. 

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.