Whether you’re starting your Application Security (AppSec) program from scratch or looking to improve an existing one, it’s important to consider various factors such as program maturity, organizational structure, and effective strategies. Unfortunately, there’s no one-size-fits-all solution, as each organization has unique needs and requirements.
Luckily, four industry experts came together for a live discussion on the quest of a perfect Application Security program. They provided insights on best practices, approaches, and tips for addressing common challenges. By the end of the event, participants left equipped with the knowledge and confidence to create, build, and scale a successful AppSec program.
Starting an AppSec Program
When starting an Application Security program, the first step is to gain buy-in from all relevant parties. Without buy-in, the effectiveness of any subsequent activities will be limited. This buy-in must come from the developers, engineering teams, and the entire company at the corporate level. Once buy-in is achieved, a risk framework should be established. After all, identifying risks and performing scans is pointless if there is no one to remediate the issues.
If you are starting your AppSec program from scratch, the framework of people, process, and technology is crucial. It is essential to have a deep understanding of how the organization functions to ensure that the AppSec program’s framework seamlessly integrates with the rest of the organization. If the framework does not fit in well with the organization’s existing processes and fails to make it easy for everyone, then the adoption of the program will be challenging. It is necessary to examine the organization’s current activities and identify the technology assets and gaps to create a comprehensive plan.
Budgeting and Building Blocks
The size of an organization is not necessarily the determining factor for whether it needs an AppSec program. Any organization that is involved in software development, regardless of size, should have an AppSec program to ensure that the applications it produces are secure. It is important to start building the right building blocks for AppSec early and make it a part of the organization’s culture. This can involve starting from the first line of code with easy-to-onboard solutions that are free. Even a small amount of AppSec is better than none.
When it comes to budgeting for an AppSec program, it is important to understand the organization’s specific needs and risks. This will help determine the level of investment required to build and maintain an effective program. This may involve investing in tools, training, and personnel to support the program. It is also important to consider the potential cost savings that can be achieved through early identification and remediation of vulnerabilities. Ultimately, the budget should be based on a realistic assessment of the organization’s needs and risks, and should be adjusted as necessary to ensure that the AppSec program remains effective over time.
Selecting Appropriate Tools
The next step in creating an AppSec program is to consider the tools required for integration. For startups or small companies below 500 employees, open-source tools can be used if the team has the expertise to implement them effectively. However, for larger companies that are scaling, it may be more appropriate to use commercial tools that integrate with existing pipelines, provide reporting capabilities, and make it easier for developers to remediate issues. If there is a limited budget, opting for open-source tools is still better than having no tools at all.
Operating in a scenario where you don’t know what you are protecting can be challenging. When selecting a tool for this purpose, it is important to involve the developers in the proof of concept (POC) phase and seek their feedback. This will ensure that they are happy with the tool and that it does not flood them with false positives. The tool should be precise and should provide proof that developers can trust.
Collaboration and Selection for Successful Implementation
Application Security plays a critical role in bridging the gap between engineers and decision-makers by guiding them towards the right decisions. However, AppSec is vulnerable to losing buy-in from either side of the equation, which can hinder its ability to impact decisions. Therefore, it is important to be mindful of both sides and ensure that decisions are made collaboratively to maintain buy-in and ensure successful AppSec implementation.
In order to effectively implement an Application Security program, it is essential to select tools and solutions that fit into the organization and drive value, taking into account the segment of the market using DevOps and modern development technologies. Deploying the wrong tools can create antagonism between AppSec and development teams, leading to a lack of alignment and collaboration. It is therefore crucial to carefully examine the organization’s current activities and select tools that align with how the organization works to maximize value.
Prioritization: Tools, Business Logic, and Risk Scoring
Prioritization is one of the core problems that organizations face when it comes to Application Security. The approach to choosing and prioritizing activities will depend on the size of the organization. For a small team with someone who is very technical, creating scripts or communicating with a GitHub API may be an option. For larger organizations, it is important to start looking at tools that will provide visibility over all repositories and services, including what is in production and what is not. Understanding which assets are critical and which are external is important in knowing what to give to developers to fix first.
It is also important to look at the company’s mission and understand how important the application is to that mission. This will help determine how important the vulnerabilities are to that particular application. Here, business logic vulnerabilities should also be taken into consideration, as understanding the logic of the application can help identify the actual threat to the application or API.
Risk scoring is another important factor to consider, such as whether the application is public facing or private, whether it contains sensitive data, and whether there are any legal or compliance requirements that apply to it. By considering these factors, organizations can prioritize their application security activities effectively.
Collaboration and Alignment
In order to prioritize effectively, all teams involved in the development and security process must work together seamlessly. It’s important for the AppSec team to operate on the same timeframe and in the same time loops as the development team, and for all teams to consider the business’s overall goals and risk factors. Without proper alignment, there can be a gap between development and AppSec, leading to problems. Empowering people and delegating responsibilities can help to streamline the process and ensure that everyone is working towards the same goals. With a ratio of 500:1 developers to AppSec, it’s important to focus on collaboration and ensuring that everyone is part of the process, rather than trying to take over the project. By working together and aligning cycles, teams can prioritize effectively and achieve successful outcomes.
Additional Resources
