A joint blog post from Veracode and ThreadFix
When it comes to maturing an AppSec program, there are several best practices that can help you get started. In part two of our AppSec podcast series, Tim Jarrett, Director of Product Management at Veracode, and Kyle Pippin, Director of Product Management at ThreadFix, share the top 3 things they’ve learned from organizations that have successfully matured and scaled their AppSec programs.
1. Know your anchor points.
The first thing you need to think about when maturing your AppSec program is the current landscape of your organization. What are the things you can’t change? It could be that you can’t find more AppSec resources (supply and demand) or that there is no budget for additional scan types. Whatever the constraints are at your organization, you need to acknowledge them so that you can find acceptable workarounds.
Next, if you are not doing so already, you need to automate as much as possible. If application security scans are automated into the developers’ existing tools and processes, there will likely be an increase in scan activity and developers will have more free time to work on securing their code and remediating flaws. Automation can also be used for other purposes, like onboarding. Since security professionals are hard to come by, they are often stretched thin for time. Because of this, security professionals can become a bottleneck when it comes to software deployments. If you automate some of their tasks, like onboarding developers in security best practices, it can free up some of their time and improve speed to market.
3. Focus on outcomes.
Last, but certainly not least, it’s important to focus not just on finding, but fixing flaws. You can help developers improve fix rates through training measures. For example, Veracode Security Labs is a great tool to help developers practice writing and remediating code in their chosen language. Implementing a security champions program is also a useful way to help make security top of mind for developers. Most developers don’t take security courses in college, so unless they are learning about security at their organization, chances are it’s not a strong skillset. If you find developers who are interested in learning more about security, you can train them to be security champions and they can take those skills back to other developers.
To learn more about the best practices for maturing your AppSec program, check out part 2 of our AppSec Bites podcast series with Threadfix.