Application security is unlike other forms of security in that it directly impacts the daily routines of your co-workers. When you implement new anti-virus software, most employees won’t notice, and when you create a new firewall rule, it generally doesn’t impact anyone except the network manager creating the rule.
But application security is different, primarily because it requires the participation of the development team and has the potential to disrupt their software lifecycle — which in turn negatively impacts their ability to meet production schedules. In addition, you will need the support and backing of the executive team in order to encourage participation and ensure funding.
Even the most well-thought-out plan, with strong policies, guides and metrics, will fail if those policies aren’t followed. The simplest way to ensure your policies are ignored and your efforts at reducing risk are in vain is to create your program in a silo.
Learn more about how to explain the importance of application security to executives in
Building a Business Case for Expanding Your AppSec Program.
The board of directors, the C-suite, and the other members of your executive team — including the chief information security officer (CISO) — play a central role in supporting and sponsoring application security. They’re integral to strategic alignment, sponsorship across the organization, delivering essential financial and human resources, and supporting a framework for collaboration and communication.
If you have support for your application security program from the executive team, other departments in the organization will be compelled to participate and support the program as well. If affected departments don’t understand and embrace the changes brought about by your program, you’re stalled.
Ultimately, the more support the application security program has from the C-suite, the more likely the security team will be able to scale the program to cover the entire application layer over time. The end goal needs to be a mature, robust application security program that secures every application at your organization, regardless of origin. It’s not enough to secure only the applications you build or only the business-critical ones. Recent high-profile and costly breaches have stemmed from non-business-critical third-party applications and open source components. Your organization isn’t truly secure unless your application security program can assess every application, with the ability to scale as your organization expands and changes.
NYSE Governance Services, in partnership with Veracode, recently surveyed nearly 200 directors of public companies representing a variety of industries — including financial services, technology and health care — to discover how they view cybersecurity in the boardroom.
When asked to rank their biggest cybersecurity fears, 41 percent of directors said they’re most worried about brand damage. Another 47 percent are nearly equally split between concern over theft of corporate intellectual property (such as strategic plans and proprietary designs) — leading to a loss of competitive advantage — and the total cost of responding to a breach (including cleanup, lawsuits, forensics and credit reporting costs).
When asked how they’d like cybersecurity information to be presented, nearly two-thirds of respondents indicated a strong preference for either risk metrics or high-level strategy descriptions.
It’s clear that CISOs should be speaking to the board in terms that directors understand, such as by using risk benchmarks compared to industry peers and talking about breaches in similar industries — rather than by describing specific security technologies.
Get more details on this NYSE/Veracode survey report and its findings in our webinar, Understanding the Board’s Perspective on Security.
of applications that Veracode scanned in a recent 12-month period had at least one vulnerability on initial scan
State of Software Security
of applications have a security flaw in an open source library on initial scan
State of Software Security, Open Source Edition
of breaches are caused by web applications, the largest cause by far
2020 Verizon Data Breach Investigations Report
The global cost of cybercrime is predicted to cost the world more than $6 trillion annually by 2021
2017 Cybercrime Report, Cybersecurity Ventures
“Know your audience when speaking to the board about security. Do not use acronyms — think ‘denial of service,’ not DDoS. Use visuals instead of text, use analogies, and always use numbers, especially dollars if possible, such as losses from public data breaches. Bottom line: They want to know what are the odds our company will experience a damaging security breach and what are we doing to prevent that.”
Veracode Co‑Founder and CTO
Another recent study that Veracode conducted reinforces the idea that you get the board’s attention with stats and facts about the bottom line and brand damage. Our survey with YouGov questioned more than 1,000 business leaders across the UK, U.S. and Germany about their company’s digital transformation initiatives and understanding of cybersecurity. Business leaders recommended the following approaches when talking to the board about cybersecurity initiatives:
Mention the money: Forty-six percent of business leaders in the U.S. stated that highlighting the cost of a breach, determined by a standard metric and cost of past breaches, will engage the board.
Point out the personal pain: More than a third of business leaders (38 percent) reported that giving senior executives examples of the personal brand damage that can come as a result of a data breach is an effective strategy for engaging them with cybersecurity. Highlighting the threat to executive jobs was also a commonly shared suggestion, with 35 percent of business leaders across all regions suggesting this would get board members sitting up and listening.
To ensure the success of your application security initiative, it’s essential to work closely with your developers so they understand the guidelines, strategies, policies, procedures and security risks involved with application security. What’s more, they must be prepared and equipped to operate securely within their particular development processes.
Your application security program affects the development team more so than any other team in your organization. An advanced application security program requires security to be built into the software development lifecycle, and, as such, a poorly implemented application security program has the potential to disrupt the development team’s day-to-day work.
Development teams’ biggest fear when they hear their organization will enact an application security assessment program is that their development efforts will be slowed down. This team can be the biggest barrier to the success of the program because if they don’t follow the protocol set forth by the program plan, the security team will be unable to demonstrate the value of the plan.
“From my own experience, I know I am less likely to balk at change if I am part of the conversation on how the change should occur. I think that is just human nature. Realizing this, it only made sense to work with the developers and product management rather than dictate how we would go about integrating application security into our development processes. In doing so, I was able to first understand how our development processes worked and how we came up with product requirements. With this understanding, I was able to work with the team to come up with realistic expectations around security.”
Security Team, DoubleDutch
Consult development teams early during the plan’s conception and throughout its evolution. This way, the security team can ensure the assessment protocols don’t disrupt the development lifecycle and, instead, enhance the development processes by making it easier for developers to find and remediate vulnerabilities. When meeting with the development or development operations teams, be prepared with a set of best-practice guidelines you’d like to implement. However, don’t present the guidelines as a set plan or strategy. Instead, describe your outline as a starting point for discussions, and ask for ideas on how this process can best fit into the existing development lifecycle. The less you have to change the current processes and the more you try to adapt your plan to fit their needs, the more likely its success.
Make a concerted effort to learn as much as you can about your developers’ priorities and processes. You have a much better chance of getting buy-in if you have a clear understanding of how the initiative will affect developers’ routines.
This understanding will become more critical as DevOps emerges. As development processes change and evolve toward a DevSecOps model, the lines between development and security will blur. In fact, in a true DevSecOps world, developers would own security testing and the security team would take more of an enabling and supportive role. Whatever development process your organization now follows, the future is DevSecOps, and the sooner security understands development — and development understands security — the more successful you’ll be.
Find out more about increasing your knowledge of developer processes in our guide, The Security Professional's Role in a DevSecOps World.
Don’t invest in an application security solution without developer input. And investigate AppSec tools that make it easy for developers to code securely. Look for solutions that are automated and integrate into the tools and processes developers are already using.
Get more details on developer-friendly AppSec tools in Five Principles for Securing DevOps.
Most developers don’t have security training. And without it, they’ll struggle to get on board with your application security initiative.
A recent survey Veracode sponsored found that less than one in four developers or other IT pros were required to take a single college course on security. Meanwhile, once developers get on the job, employers aren’t advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don’t provide them with adequate training in application security.
The good news is that this is a problem with a solution. Our 2017 State of Software Security data shows that developer training leads to significant application security results.
Developer training that is hands-on and relevant is much more effective. Learn more about Veracode Security Labs in this white paper.
Set yourself up for AppSec success by getting stakeholders on board early. Your program will stall before it starts without the full support of the executive and development teams. Especially with the rise of DevSecOps and the security “shift left,” developers will increasingly play a key role in security — make sure they have the tools and skills they need to keep your program on track and your organization safe.
Contact us for help developing an application security plan and program.
Veracode is the leading AppSec partner for creating secure software, reducing the risk of security breach and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of automation, integrations, process, and speed, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities. Veracode serves more than 2,500 customers worldwide across a wide range of industries. The Veracode cloud platform has assessed more than 14 trillion lines of code and helped companies fix more than 46 million security flaws. Learn more at veracode.com, on the Veracode Blog, and on Twitter.
Copyright © 2021 Veracode. All rights reserved. All other brand names, product names, or trademarks belong to their respective holders.