New to AppSec? We’ve been helping organizations like yours build out application programs for more than 10 years, and we have a solid list of best practices for developing an effective program. Below are four good ones to prioritize as you work your way toward AppSec maturity.
1. One step at a time
This is the first and most important best practice when you are getting started with AppSec. Don’t boil the ocean, slow and steady wins the race, Rome wasn’t built in a day – pick your metaphor – the bottom line is that AppSec is a process, and success lies with building out and maturing your program over time. Focus on a slow, steady, programmatic approach. You don’t want to jump in on day one and start scanning everything with strict remediation guidelines. We’ve seen organizations take this approach, and not only does it cause stress, but it is also ultimately ineffective.
At a high level, your first AppSec steps should instead look something like this:
- Gain commitment from executive level, security, and development.
- Define application inventory, business criticality, and target rollout phases.
- Define policy (ies).
- Conduct baseline scan of first phase of applications.
- Define program metrics.
Only when these steps are complete should you move on to things like developer education, integrating AppSec into your existing tools, automating the process, and onboarding new teams.
For more information, get details on the experience of one of our customers when building their AppSec program from the ground up.
2. Secure coding education
Underlying any successful application security program is education. Consider secure coding education early on, and throughout your application security program. Make sure your development team has the tools necessary to succeed.
Why is education important? Because most developers haven’t had training on secure coding, either in school or on the job. Without this training, they would be hard pressed to address any vulnerabilities uncovered in scanning, or to avoid making the same mistakes in the future.
The good news is that getting developers the security training they need makes a big difference. Our Platform data reveals that eLearning improves developer fix rates by 19 percent; even better, remediation coaching improved fix rates by a whopping 88 percent.
Ensure developers are empowered to write, build, and deploy secure code. Learn more in this video of our VP of engineering discussing developer training.
Thinking early on about integrating security into your SDLC and making security testing part of developers’ day-to-day routines is key. At Veracode, we feel strongly that this means embedding AppSec into the tools you are already using. Ultimately, application security that forces you to switch tasks and tools will be more disruptive and less effective.
Application security works best when integrated into your IDE, build server and CI/CD tools, defect tracking systems, and GRC systems.
Learn more about application security integrations.
The less human intervention your AppSec program requires, the better. Automate testing wherever and whenever you can. For instance, when application security scanning is an automated step in the build or release process, security testing simply becomes another automated test the build server performs, along with its other functionality and quality tests.
Learn more in our 5 Principles for Securing DevOps infosheet.
For more details on my experience helping organizations get started with AppSec, check out my recent webinar on the topic.