May 8, 2019 By Joe Coletta 3 min read

Managing an application security program is always a multifaceted endeavor. Whether you’re a small startup or an international enterprise, a successful program involves more than just scanning for vulnerabilities.

As IBM Security’s Florin Coada explained in his Think 2019 presentation, managing application risk requires a clear vision on objectives, education and communication across multiple organizational functions. Let’s take a closer look at four principles to keep in mind when formulating your application security program from the start.

1. Understand Your Goal: Security or Compliance?

Like with any project, setting attainable milestones is paramount to measuring progress and success. When it comes to governing your application security program, that means having a discussion with your team on what constitutes success: security or compliance? Both are entirely valid, especially if your organization requires specific industry certifications to conduct business with new customers. However, most regulatory compliance standards may not delve into the specific nuances of your app portfolio, so while you may have checked the box, that doesn’t necessarily protect you from an attack.

If you want to ingrain security into your team’s DNA, you’ll need to have a clear understanding of your application landscape, where you are vulnerable and where you need to bolster your defenses. That means prioritizing risk by calculating the impact of an attack along with the likelihood. A laundry list of medium-severity security flaws that are highly exploitable will need just as much attention as a single critical-severity finding that is less likely to be exploited.

Furthermore, consider additional security measures that may go beyond regulatory requirements. Security can often be positioned as a competitive advantage to your customers.

2. Empower Your Application Development Teams

While your security team may be the evangelists for secure coding practices, your development team is your standard-bearer. Communicating your security goals with developers will help them understand the value they bring to the business.

Developers often don’t get the training they need to efficiently fix application vulnerabilities and, if they do, the training often doesn’t pertain to their tool set. A Java developer is not going to be receptive to training on how to fix an injection flaw in Python. Show your investment in their success by building a training curriculum that is relevant to the tools your development team uses and addresses any wide knowledge gaps.

When you do make the decision to invest in an application security solution, it absolutely needs to integrate into the existing pipeline. Developers will not adopt your solution if it creates bottlenecks in their delivery sprints.

3. Respond, Don’t React

Building an action plan for an unforeseen security event can seem like an exercise in futility, but rest assured that building a team of dedicated application security experts will help streamline your response plan when vulnerabilities are exposed in your code or a zero-day threat is revealed. Building a cross-functional team across security and development is absolutely necessary to establish a defined process to fix vulnerable code and ensure that the remediation process doesn’t bog down your speed to market.

Additionally, understand your application security testing cadence and balance your testing suite with multiple technologies. For example, static analysis monitors data flow and seamlessly integrates into most agile, continuous integration and continuous delivery (CI/CD) and DevOps pipelines. Dynamic analysis lends itself more to internet-facing web applications and can be a routine step in your QA process just prior to deployment. Of course, with the proliferation of open source libraries into most production apps, open source testing has become more vital than ever. Having a designated task force to oversee a balanced application security testing suite will allow you to respond to threats instead of simply reacting to them ad hoc.

4. Communicate and Share Application Security Best Practices

As important as it is to communicate gaps in your program, it’s just as important to communicate and share triumphs as well. Invest in an application security solution that provides actionable metrics and dashboards that you can share with your executive team to relay progress within your security program and demonstrate return on investment (ROI).

Whichever way you decide to track progress, share those successes with the rest of the organization and make sure you share best practices with the broader team. For example, a “security champions” program is a proven method to inject security into your company’s DNA across multiple functional teams. Specifically, a security champion within your application development group can help cultivate secure coding practices and act as a peer adviser for addressing security findings.

Lastly, remember to recognize and give kudos to the teams and individuals that help realize the long-term objectives of your application security program. You can’t go it alone, after all.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today