According to a new research report from Information Security Forum (ISF), only 32 percent of its membership is satisfied with their security assurance program – though 80 percent say that they want to take a more business-focused approach to security. Given the ever-evolving threat landscape, security leaders understand that they always need their finger on the pulse of how secure their organization’s information is. This can prove to be challenging if the right processes and controls are not in place across development, IT, and security in your organization.
Often times, communicating the security of your organization –and communicating it well – comes down to asking the right people the right questions, and taking smaller steps to achieve the desired outcome. In the report, Establishing a Business-Focused Security Assurance Program, ISF proposes that organizations build on existing compliance-based approaches instead of recreating the wheel. To map out where the program needs to go and begin evolving it with business in mind, IFS notes that security leaders should:
- Identify what business stakeholders want from security assurance
- Break down the requirements into manageable tasks to move from current to future approaches
- Apply repeatable security assurance process across multiple target environments (i.e. business processes, projects and supporting assets where appropriate in your organization)
“Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected, by focusing on how effective controls are,” said Steve Durbin, Managing Director, ISF. “A business-focused approach requires a broader view, considering the needs of multiple stakeholders within the organization: what do they need to know, when and why? Answering these questions will enable adoption of testing, measurement and reporting techniques that provide appropriate evidence.”
Including Secure Coding in the Security Control Discussion
According to the 2019 Verizon Data Breach Investigations Report, 62 percent of breaches and 39 percent of incidents occur at the web application layer. While it is unclear exactly how the web applications were compromised in some cases, it’s assumed that attackers are scanning for specific web app vulnerabilities, exploiting them to gain access, inserting some kind of malware, and harvesting personal data to create a profit.
An often-overlooked way to tighten security in your organization is to provide developers with the tools they need to code securely, and to continue learning about different vulnerabilities as they work. When development teams are able to scan for vulnerabilities in their code while they work, they’re less likely to be introduced in the QA and production stages. The State of Software Security Report Volume 9 shows that organizations that are conducting application security scanning more than 300 times per year are able to shorten flaw persistence by 11.5 percent.
This means that development leaders must be included in security control discussions. Their team may work in a different way than others across your organization, so understanding how to support them to make security a seamless priority in their day-to-day processes is a necessary step for security assurance. Once the DevSecOps approach to application development has been adopted, it’s even easier to verify for your executives – as well as customers and prospects – that you really do take security seriously.
The Right Analytics to Tell the Right Story
Analytics are useful for determining exactly what the right metrics are for AppSec managers to share with executives and their board. Given that policy compliance is often the number one priority for this audience, AppSec managers need to set their threshold for what they’re willing to accept and what they’re unwilling to accept when it comes to the appropriate level of risk and the type of data involved.
The Veracode Platform includes Veracode Analytics, which empowers our customers to set up custom analytics once they’ve determined their risk threshold and application criticality. With an easy-to-use dashboard view, AppSec managers can review their AppSec program to make sure that development and security teams alike are scanning all of their applications – and fixing what they find.
The Veracode Platform and Veracode Analytics can be a game-changer for your business, as it helps you to stay focused, motivate your teams, ensure better resource allocation, and help you more strategically communicate your security posture to the executive team.
For more on getting executive support for application security, see Everything You Need to Know About Getting AppSec Buy-In.
For more on measuring your application security program, see Everything You Need to Know About Measuring Your AppSec Program.