/jul 14, 2020

Your 30-60-90 Day AppSec Plan

By Hope Goslin

Your stakeholders have signed off on an application security program, you’ve selected a vendor …  but now what? There is no detailed handbook or instruction manual for getting started because every organization is different. You need to formulate your own plan to make sure the program meets the individual needs of your organization.

But that doesn’t mean that there aren’t tips or suggestions to help get your wheels turning. One good place to start is the Veracode Community, where developers and security practitioners can ask questions and solicit feedback from Veracode employees or fellow Community members. On Tuesdays, the Community gives customers a “Tip” or advice from an industry expert on a particular topic. One of the recent tips was a 30-60-90-day road map with recommended goals and steps to consider when rolling out an AppSec Program.


In the first 30 days, some of the proposed first steps include training key members of the AppSec team, prioritizing applications for scans, and defining what a successful AppSec program looks like at your organization. The map even provides some examples of metrics that you can use to measure the success of your program.


By 60 days, you should have your development team fully onboarded. In fact, they should be ready to start some basic scans. The key to success during month two is to make sure that developers and security professionals have a strong feedback loop and a positive working relationship. That way, when developers start scanning, security practitioners will feel comfortable and confident that developers have security measures top of mind, and developers will feel comfortable going to security with remediation questions.

In a recent Veracode Community post on best practices for strengthening the developer and security practitioner’s relationship, several community members weighed in on what has worked at their organization. Mwaldis335267 argued for integrating AppSec testing tools into developers’ existing processes to make testing more convenient. Mark Merkow of HealthEquity pointed out that “before releasing tools and confounding processes to development teams, it's essential that every team member clearly understands the reasoning and the intent of using AppSec tools/processes.”

Toward the end of the third month, you should have integrations set up and you should be ready to review the current progress of your AppSec program. Some questions you should be asking the team on day 90 include:

  • Are there any additional developers that need to be onboarded?
  • Are there any new apps that need to be scanned?
  • How are the teams handling the current policies? Do any need to be changed?
  • How long should we be giving developers to remediate flaws?

By reading through the road map and considering the goals and steps, you should be able to get started on your journey. However, if you have questions or need support throughout the process, you can always reach out to your Veracode SPM or ask a question on the Veracode Community

Related Posts

By Hope Goslin

Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.