/apr 30, 2019

Your AppSec Program Can Make Your Developers and Your CFO Happy

By Laura Paine

While cybersecurity risk is steadily growing, so too is the recognition that application security (AppSec) is critical to protecting valuable enterprise resources. More than ever, ensuring that you have a program that spans the entire SDLC is critical to preventing breaches into your organization and customer data. Just as it is important to inventory and secure all of the applications in your portfolio, it’s equally important that your applications are coded securely. Let’s be real: there are a few ways that shifting your application security program left can go wrong. This can include purchasing solutions that don’t really fit the needs of your organization, failing to determine what flaws need fixing first in order to avoid breach, and measuring success against the wrong metrics. This can cost you valuable resources, including your developers’ time and energy, your clients’ trust – and incite the ire of your organization’s CFO.

Here are three tips for running a developer-friendly AppSec program that saves your organization’s most precious resources.

Create Strong Application Security Policies

You know how you treat each email you receive with varying levels of attention and detail? The same sort of policies should be implemented when it comes to fixing flaws found in your software. Like any tool or methodology, AppSec requires a strong structural framework to deliver maximum results. A broadly defined and unfocused program, and the absence of strong AppSec policies, can lead to teams chasing down every flaw and fix. Essentially, you’re running the risk of overwhelming your developers who will no longer have the time or energy to take threats seriously.

There is no one-size-fits-all framework when it comes to creating application security policy (here’s a guide to get you started). It’s really a matter of setting the bar at the right risk and protection level, determining which flaws really matter, understanding remediation and mitigation, and keeping an eye on third-party applications and open source components. Focusing on AppSec standards, like OWASP Top 10, and balancing the needs of your organization will position you for maximum performance and protection, and help you avoid developer burnout.

Identify Appropriate Metrics

The right set of metrics and key performance indicators (KPIs) can greatly simplify and streamline both your software development and your application security. There are a few other metrics to consider beyond meeting your organization’s policy requirements. For example, organizations that have adopted Agile and DevSecOps will find themselves scanning applications and code more frequently. This kind of scanning, when done through automated integration with development systems and at the times best aligned for the development team, can limit the number of vulnerabilities introduced in the Testing and Production stages. Ensuring scan frequency also means reduced mean time to remediate (MTTR) – Veracode’s State of Software Security Volume 9 found that development teams who scanned 300 or more times per year are fixing flaws 11.5x faster than other organizations.

Another metric to consider is flaw density. Flaw density provides a way of looking at the number of flaws produced from a static analysis over the size of the application and can provide directional guidance when comparing groups of applications. A high flaw density simply means more flaws to address, allowing the opportunity to determine where best to use AppSec resources and prioritize flaws accordingly. The beauty of implementing a developer-friendly AppSec program is that it decreases flaw density over time. The Total Economic ImpactTM of the Veracode Application Security Platform, a Forrester Consulting study, shows that prior to using Veracode, the composite organization experienced 60 flaws per MB of code. After adopting the Veracode platform and integrating tools into their CI/CD pipeline, the composite saw a reduction in security flaws of 50% to 90% over three years.

Ensuring that your team has access to actionable results from all application security testing scans performed in a single platform makes coordinating remediation between security, development, and other IT teams easier and more efficient. It also simplifies your ability to measure against the metrics and KPIs set for your organization. To learn more about how to measure your AppSec program, check out the Everything You Need to Know About Measuring Your AppSec Program guide.

Select the Right Solutions

When it comes to AppSec, you need a combination of solutions to ensure that you’re securing your applications at every stage – that’s right, there’s still no silver bullet in security. In the Forrester Consulting study, the organizations interviewed used the Veracode Platform to build stringent security controls and integrate application security testing into their CI/CD pipeline. In addition to using Veracode Static Analysis and Veracode Dynamic Analysis, these organizations shifted security left using Veracode Static Analysis IDE Scan and Veracode Software Composition Analysis to identify issues at inception in the SDLC.

As a result, they found that developers were introducing fewer flaws to their code and that the flaws they did find took less time to resolve because we are able to offer contextual remediation advice for those security flaws. Since security flaws were caught earlier in the SDLC, the organization saw a 90 percent reduction in time required to resolve these flaws. Resolutions which previously took 2.5 hours on average were reduced to 15 minutes.

With MTTR included in your overall metrics, it’s important that your application security solutions are designed for speed AND a low false positive rate. This means that security and development teams will spend less time sorting through results to find actual vulnerabilities, and spend more time fixing what matters so that they can move on to other projects.

Developing an AppSec Road Map Saves Time and Money

Organizations need to conduct security testing at the speed of modern day software development in order to maintain tight product roadmap deadlines and increase speed to market. When your teams take the time to understand the bigger picture, the solutions that they need to get the job done well and done efficiently, and they’re able to save time and money doing it, everybody wins. Your development teams will have the space to make your next standout product or feature. You will have the resources to invest in furthering their development education. Your applications will be more secure and your entire organization will be the better for it.

Related Posts

By Laura Paine

Laura Paine is a senior product marketing manager at Veracode, based in Burlington, MA.