/oct 29, 2020

A Software Security Checklist Based on the Most Effective AppSec Programs

By Hope Goslin

Veracode’s Chris Wysopal and Chris Eng joined Enterprise Strategy Group (ESG) Senior Analyst Dave Gruber and award-winning security writer and host of the Smashing Security podcast, Graham Cluley, at Black Hat USA to unveil the findings from a new ESG research report, Modern Application Development Security. The research is based on a survey of nearly 400 developers and security professionals, which explored the dynamic between the roles, their trigger points, the extent to which security teams understand modern development, and the buying intentions of application security (AppSec) teams.

As the presenters went through the data, it led to a larger discussion about AppSec best practices and what steps organizations can take to mature their programs. Here are the best practices laid out during the presentation as an easy-to-follow checklist as well as supporting data from the ESG report.

Application security controls are highly integrated into the CI/CD toolchain.

In the ESG survey, 43 percent of organizations agreed that DevOps integration is most important to improving AppSec programs, but only 56 percent of respondents answered that they use a highly integrated set of security controls throughout their DevOps process. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment.

Application security best practices are formally documented.

In order to have a successful AppSec program, everyone needs to be on the same page regarding best practices. The CISO should help facilitate the formal documentation of AppSec best practices. Developers and security professionals can reference the list and use it to guide their decisions.

Application security training is included as part of the ongoing development security training program.

Developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities. Most developers don’t receive secure code training courses in college, so it is up to organizations to offer security training. But according to the survey, more than 20 percent of organizations only provide training when developers join the team.

Developers should have multiple, at-leisure training opportunities throughout the year, like virtual or hands-on programs – such as Veracode Security Labs. Chris Wysopal pointed out the importance of human touchpoints as part of ongoing developer training. If someone is checking in on developers to make sure they’re completing their training, they’ll likely take it more seriously. Consider a security champions program. The security champions are developers who have an interest in learning about security. If you have at least one security champion on every scrum team, that person can help ensure that their peers are up to speed on the latest security training and best practices.

Ongoing developer security training includes formal training programs, and a high percentage of developers participate.

At-leisure security training is a great way for developers to learn on their own time. But it is also important to implement formal security training with a set completion date and a skills assessment. Without formal security training, developers may not develop the skills they need to write secure code and remediate vulnerabilities. This could lead to slower and more expensive deployments because of rework or vulnerable code being pushed to production.

According to the survey, 35 percent of respondents answered that less than half of their development teams are participating in formal training. And only 15 percent reported that all their developers are participating. As for frequency, less than half require their developers to engage in formal training more than once per year.

Development managers are responsible for communicating best practices to developers.

Developers rely on the information they receive from their development managers. Development managers should be following the organization’s documented AppSec best practices and they should be communicating the best practices to the developers.

Security issues are traced back to the individual development teams.

42 percent of organizations responded that they track security issue introduction for individual development teams. This number should be much higher because if you don’t track security issues introduced by each team, the team could make the same mistake multiple times. When you track the security issues, you can target efforts to improve those teams and individuals who introduce the most issues.

You track your AppSec program using formal processes and metrics to ensure that it’s continuously improving.

You should have a formal process in place to regularly measure your AppSec program using metrics. With the right metrics, you can pinpoint areas where your AppSec program is performing well and areas that could use improvement. The data can also be used to show senior management or stakeholders if their AppSec investment is getting the right return on investment (ROI).

You track individual development teams using metrics to ensure that they are continuously improving.

Just as you should be tracking if security issues are introduced by individual development teams, you should also be tracking if the development teams are making continuous improvements. If you are addressing teams or individuals when security issues are introduced, it should be expected that the teams/individuals are taking steps to ensure that the same mistake doesn’t happen again. Metrics can be used to prove that the teams are actively making improvements.

You track security issues during the code development process.

If code is not tracked for security issues in the development phase and a vulnerability is identified later in the software development lifecycle (SDLC), it can be costly and time consuming to fix the flaws. You can track the code with a tool like Veracode’s IDE Scan. The IDE Scan reviews code in real-time and provides remediation methods.  

Automated risk aggregation tools roll-up risk to keep senior development leaders informed.

Senior development leaders should be fully aware of the risks and vulnerabilities in applications. Consider using automation risk aggregation tools to keep leaders informed in an efficient manner.


To make sure your organization is following the best practices, download the printer-ready Software Security Checklist: 10 Elements of an Effective AppSec Program.

Related Posts

By Hope Goslin

Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.