When you make an investment in an application security program, you’re expecting to derive value from the initiative; in other words, you’re expecting to get some kind of return on your investment. After more than 10 years working with organizations to implement and build out application security programs, we have a pretty clear sense of what that value is. We find that the value derived from an AppSec program stems from:
But you won’t reap these benefits unless you follow best practices and implement certain facets of an application security program. Those who simply plug in a tool and focus on scanning only will not derive the value listed above, but might in fact hinder the progress and productivity of their development teams.
You won’t get a solid return on your AppSec investment unless you consider application security a program, not a tool, and work to incorporate several best practices that go beyond simply scanning your code. Those best practices include:
Secure coding education: Prevention is key to deriving value from application security, and the best way to prevent security-related defects in your code is to train your developers to identify and avoid them. Even better, provide targeted training that hones in on specific defects emerging in your code. This is especially important because the reality is that most developers simply don’t have the skills or experience to code securely. We recently conducted a survey that found that the vast majority of developers don’t get security training either in school or on the job. And we’ve seen first-hand the effects of educating developers on secure coding – our customers who take advantage of eLearning on secure coding improve their fix rates by 20 percent.
Integrated and automated testing: You will lessen the value derived from application security testing if it hinders and slows your development process. And human intervention will slow you down. True value lies in maintaining your development speed while producing high-quality, secure code. You won’t achieve this unless security testing is integrated into development processes, and automated as much as possible. For instance, embed testing into the development process as developers are writing code. In addition, automate testing in the CI/CD pipeline, and automatically open and close tickets related to security issues. The more you can automate and integrate, the more value you will see.
Remediation guidance: Ultimately, application security offers very little value if you aren’t fixing the defects you find and reducing your risk of breach. But, as mentioned above, most developers are not trained to identify or remediate security-related defects. With remediation guidance, developers will efficiently and effectively fix what they find, and learn to do so going forward. With this know-how, you’ll derive both real risk reduction and a real boost to your bottom line. We’ve found that our customers that take advantage of remediation coaching see a 70 percent improvement in fix rates over those that don’t.
Security champions: Security skills are hard to come by, application security skills even harder. Leverage your security team and its skills without adding headcount by creating security champions. A security champion is a developer with an interest in security who helps amplify the security message at the team level. Security champions don’t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues. Once the team is aware of these issues, it can then either ﬁx the issues in development or call in your organization’s security experts to provide guidance. In the end, security champions will help you derive more value from your application security program without incurring significant costs.
We know application security can produce a solid return on investment, but only if you understand what that return looks like and the best ways to achieve it. Get more details on boosting the ROI from your AppSec program, and measuring that ROI, in our eBook, Making Application Security Pay.