The basic blocking and tackling of defining and executing an application security program includes having an executive mandate, a policy, and an inventory of your applications. These comprise the minimum requirements to successfully define and execute a program. But once a program is defined, what are the factors that make it successful? Optimizing your application security program means setting it up in a way that is “most conducive to a favorable outcome” and set up for growth, scale, and success (Merriam Webster).
As I’ve worked with our customers to optimize their programs over the past seven years, I see four distinctions that separate fledgling from mature AppSec programs:
Leaders who follow these four recommendations have seen their AppSec programs become the model for their company’s larger vulnerability management programs. They have seen the number of applications they onboard into the application security program rapidly scale, increasing the coverage of applications under risk management – from legacy apps on the ground to next-gen apps in the cloud. And they have seen a concurrent and sharp decrease in the number of existing open flaws (security technical debt) through remediation across static analysis, dynamic analysis, and manual penetration testing.
Application security is as much a cultural problem as it is a technical problem. DevSecOps requires:
Use analytics to not only measure how far you’ve come historically, but to also provide direction on future priorities. For example, some of the most helpful metrics are Scan Aging (average number of days since the previous scan for a group of apps in a BU) and Flaw Aging (average number of days flaws have been open in a BU). These can be compared against a company’s grace period and scan frequency policies to identify out-of-compliance teams and applications. Start with the worst offenders each week to quickly show progress in addressing risk.
Once you have a culture that wants to do something about AppSec, plus the metrics in place to measure, you can mix those together to get prescriptive next steps for addressing pockets of non-compliance. The next-step action items can be laid out before each team of developers to guide them on where to apply their tools and efforts for the benefit of the program.
The CI/CD pipeline is the new firewall, where you can prevent insecure code from being released to production. The benefit of a secure SDLC is that application security flaws will be caught earlier on in the development process and fewer flaws will escape into production, reducing the risk of insecure code being deployed. A mature and secure SDLC will have security overlayed and integrated into each stage of the development process, as early as possible and with the least impact to the developer.
The outcome of a secure SDLC is that applications will be released to production with fewer vulnerabilities to fix later, they will be compliant with policy, and critical vulnerabilities will be prevented from escaping into production – all while leveraging automation and shift-left code scanning technologies to allow developers to write software quickly and securely.
These four areas provide the tools for making application security part of the DNA of software development. For more information, please watch the webinar Optimizing Your Application Security Program.