I recently had an interesting question from a prospective customer:
What are the top 5 lessons learned from implementing your solution at companies similar to ours?
After careful thought, and soliciting input from my fellow solution architects in the EMEA region, I came up with the list below. We’re sharing it here in the hopes it proves useful to others as they work to develop software both quickly and securely.
1. Start with a clear policy
Which applications need to be tested? How is business criticality defined for applications? What flaws must be remediated? When?
A clear policy covering the AppSec lifecycle needs to be in place to be able to work towards a successful program. When it comes to defining the flaws that must be fixed and the timeframe allowed, it is critical that this be kept as simple as possible and changed as little as possible.
Get details in our Everything You Need to Know About AppSec Policies guide.
2. Bring the business with you
Successful AppSec programs depend upon cooperation between security and development and a shared sense of accountability, and this extends through every level of the organisation. Regular communication with your peers and alignment of your goals will allow you to lead in the same direction and provide clear messages to the development teams. In addition, make sure that development teams are aware of all the tools and services that are available to help them – from IDE plugins to remediation coaching.
Get details in our Everything You Need to Know About Getting Buy-In for Your AppSec Program guide.
3. Automate everything that you can
Automation is key in any AppSec implementation as reducing manual intervention will allow your program to cost-effectively scale and go faster. Integrating scanning into the SDLC toolchain and synchronising results into the ticketing system as work items provide a feedback loop for development. In addition, finding ways to automate scoping, on-boarding, and governance allows you to focus on improvement rather than leg work.
Get details on integrating AppSec into your development processes.
4. If in doubt, have a readout
The Veracode Security Consulting team can help with everything from preparing code for scanning and configuring scans to finding the best way to improve the security of your application. The goal of your program should be to reduce the risk that your applications pose to the business, and our experience shows that app teams who engage with our ASCs test more effectively and fix more flaws, thus reducing risk more efficiently.
Find out more about our Security Consulting.
5. Measure and improve
The key to continuously improving your AppSec program is to have meaningful metrics in place and to use them to guide your changes. This means that you must gain control of your app inventory (you cannot measure what you don’t know) and ensure that all in-scope apps undergo regular testing, regardless of code changes (unless gathered regularly, metrics become less meaningful).
Get details in our Everything You Need to Know About Measuring Your AppSec Program guide.
Pulling it All Together
We’ve been helping customers secure their application landscape for more than a decade, and we’ve learned what works. Find out how all the above lessons come together on the path toward AppSec success in Everything You Need to Know About Maturing Your AppSec Program.