/oct 8, 2018

The View From a Veracode Solution Architect: My Top 5 Lessons Learned

By John Smith

I recently had an interesting question from a prospective customer:

What are the top 5 lessons learned from implementing your solution at companies similar to ours?

After careful thought, and soliciting input from my fellow solution architects in the EMEA region, I came up with the list below. We’re sharing it here in the hopes it proves useful to others as they work to develop software both quickly and securely.

1. Start with a clear policy

Which applications need to be tested? How is business criticality defined for applications? What flaws must be remediated? When?

A clear policy covering the AppSec lifecycle needs to be in place to be able to work towards a successful program. When it comes to defining the flaws that must be fixed and the timeframe allowed, it is critical that this be kept as simple as possible and changed as little as possible.

Get details in our Everything You Need to Know About AppSec Policies guide.

2. Bring the business with you

Successful AppSec programs depend upon cooperation between security and development and a shared sense of accountability, and this extends through every level of the organisation. Regular communication with your peers and alignment of your goals will allow you to lead in the same direction and provide clear messages to the development teams. In addition, make sure that development teams are aware of all the tools and services that are available to help them – from IDE plugins to remediation coaching.

Get details in our Everything You Need to Know About Getting Buy-In for Your AppSec Program guide.

3. Automate everything that you can

Automation is key in any AppSec implementation as reducing manual intervention will allow your program to cost-effectively scale and go faster. Integrating scanning into the SDLC toolchain and synchronising results into the ticketing system as work items provide a feedback loop for development. In addition, finding ways to automate scoping, on-boarding, and governance allows you to focus on improvement rather than leg work.

Get details on integrating AppSec into your development processes.

4. If in doubt, have a readout

The Veracode Security Consulting team can help with everything from preparing code for scanning and configuring scans to finding the best way to improve the security of your application. The goal of your program should be to reduce the risk that your applications pose to the business, and our experience shows that app teams who engage with our ASCs test more effectively and fix more flaws, thus reducing risk more efficiently.

Find out more about our Security Consulting.

5. Measure and improve

The key to continuously improving your AppSec program is to have meaningful metrics in place and to use them to guide your changes. This means that you must gain control of your app inventory (you cannot measure what you don’t know) and ensure that all in-scope apps undergo regular testing, regardless of code changes (unless gathered regularly, metrics become less meaningful).

Get details in our Everything You Need to Know About Measuring Your AppSec Program guide.

Pulling it All Together

We’ve been helping customers secure their application landscape for more than a decade, and we’ve learned what works. Find out how all the above lessons come together on the path toward AppSec success in Everything You Need to Know About Maturing Your AppSec Program.

Related Posts

By John Smith

John Smith, Senior Principal Solution Architect for Veracode in EMEA, has been working in Information Security for more than 20 years and specifically in Application Security since 2004. He has been part of the evolution of AppSec from ad-hoc testing using technologies such as Dynamic Analysis through to the comprehensive and programmatic approaches seen in mature organizations today, where highly integrated and automated testing is backed up with strong policy and governance. At Veracode John is responsible for helping our customers and prospects understand the ways we can help them to be more effective and efficient in identifying and reducing their software security risks.