/jan 3, 2017

Can You Defend Your AppSec Program? Be Ready to Answer These Questions

By John Zorabedian

Every AppSec manager needs to work with stakeholders across the organization, from the CISO to development, and departments making their own decisions about buying the software they depend on to do their jobs. If you want to earn buy-in for your AppSec program, you’ll have to be responsive to different concerns for each type of stakeholder.

To help you, we offer this list of questions you might need to answer to defend your AppSec program against pushback. The answers will be particular to your organization, but preparation is key to success.


When talking to the CISO or other executives, the key is to focus on the benefits to the organization, rather than the technology or technical details of the program. For the C-suite, the main concern is the cost-benefit ratio. You’ll need to give accurate information about the risk that vulnerabilities in the application layer pose to the organization, and how reducing this risk will ultimately save the company money and time.

Be prepared to answer questions like:

  • What does our risk posture look like now?
  • Why should we invest in application security, as opposed to other forms of cybersecurity?
  • What metrics will you use to demonstrate progress?

Development and DevOps

Development can be the biggest barrier to the success of the program if you don’t get their buy-in. Development is most concerned about how an application security assessment program could slow them down with added complexity. Be prepared to show how security testing protocols won’t disrupt the development lifecycle, but make it easier for developers to find and remediate vulnerabilities.

Be prepared to answer questions like:

  • How will the assessment process fit into the current development lifecycle?
  • How will this impact the development teams’ productivity?
  • What training programs will be put in place to help the development team?

Software Purchasers

In the past, software purchases went exclusively through the IT department. But the democratization of IT now means that any part of the organization can purchase software. Although no one wants to be the weak link that introduces unnecessary risk, or worse, causes a breach, software purchasers need to understand how your application security assessment program affects them and the protocols for working with the security team.

Be prepared to answer questions like:

  • Why do we need to assess the security of software we buy?
  • How do I get approval for software purchases, and what is the process?
  • What about security for software we already purchased?

Upgrade Your AppSec Program

You can get more tips about implementing and improving your AppSec program with ourApplication Security Program Checklist.

Related Posts

By John Zorabedian

John Zorabedian is a blogger, content marketer, and research editor. He has a background in marketing and journalism, writing about IT security, technology, business, politics and culture. He lives and works in the Boston area.