This is the first blog in a series that will look at each stage of an application security program’s maturity and outline what the next steps are to move toward an advanced program.
We typically see organizations fall within one of these four stages of application security:
If you are in the first stage and taking a reactive approach to application security, you are most likely driven by the need to comply with industry regulations or proof-of-security requests from customers. With this ad-hoc approach, you most likely only assess applications using some form of manual penetration testing. In addition, remediation is based on the needs of the customer or industry regulations, and only fixes the most egregious software flaws.
With this reactive approach, responding to customer requests or industry regulations is both expensive and time-consuming – and leaves you at risk of regulatory fines or losing sales because of security concerns. Creating a proactive approach to application security will put you out ahead of the customer and auditor requests, improving both your security and your bottom line. But how do you get to that point? To make this leap, the first priorities are gaining executive buy-in, and understanding both your current application security state and what your application security goals are. Here are our recommended next steps:
Gain commitment from executive level — and communicate the executive mandate on AppSec. It’s critical to get the executive team on board in the early days of developing an application security program, and that entails understanding what stakeholders at the executive level care about and how best to approach them with your case. Basically, the executive team’s main concern around any new initiative is how it will impact the bottom line. Once you have support for your application security program from the executive team, other departments in the organization will be compelled to participate and support the program as well.
Complete an application security maturity assessment. Get a handle on the current status of application security at your organization, and where there are holes. CA Veracode uses a variant of the OpenSAMM software assurance maturity model to help our customers to understand and improve their application security processes and posture.
Establish program goals. The most common strategy for AppSec goal-setting is to use the OWASP Top 10 as a guide for vulnerabilities that must be remediated. Whatever metric you choose, it is crucial to first baseline the current status of application security at the organization and set predictable timelines for measurement frequency, as well as set expectations for what constitutes success and what indicates a need for continued improvement.
Define policy. Scanning code for vulnerabilities represents only part of the solution. You need to lay out the specifics of how the scanning will occur and what will happen with the results – in other words, what will be remediated, what will be mitigated and what doesn’t pose a threat. Every organization’s policy will be unique, based on factors like industry regulations, but you need to set guidelines for what is expected.
Create an inventory of all your applications. You can’t secure what you don’t know about. Part of the reason for the huge percentage of breaches involving web applications is a lack of visibility into the web perimeter — most enterprises don’t even know how many public-facing applications they have. In fact, CA Veracode typically finds 30 percent to 40 percent more websites than customers thought they had. By running a discovery scan of your web perimeter, you can quickly gain an inventory of your external web applications. From there, you can immediately reduce risk by either patching vulnerable sites or even eliminating sites that are no longer in use, but still active.
Once you’ve completed these steps, it’s time to start assessing apps and working with developers on secure coding. Get details on your next steps, and all the steps involved in building an application security program – including tips and advice from someone’s who’s been there – in our new guide, From Ad Hoc to Advanced Application Security: Your Path to a Mature AppSec Program.