Managing an application security program is always a multifaceted endeavor. Whether you’re a small startup or an international enterprise, a successful program involves more than just scanning for vulnerabilities.
As IBM Security’s Florin Coada explained in his Think 2019 presentation, managing application risk requires a clear vision on objectives, education and communication across multiple organizational functions. Let’s take a closer look at four principles to keep in mind when formulating your application security program from the start.
1. Understand Your Goal: Security or Compliance?
Like with any project, setting attainable milestones is paramount to measuring progress and success. When it comes to governing your application security program, that means having a discussion with your team on what constitutes success: security or compliance? Both are entirely valid, especially if your organization requires specific industry certifications to conduct business with new customers. However, most regulatory compliance standards may not delve into the specific nuances of your app portfolio, so while you may have checked the box, that doesn’t necessarily protect you from an attack.
If you want to ingrain security into your team’s DNA, you’ll need to have a clear understanding of your application landscape, where you are vulnerable and where you need to bolster your defenses. That means prioritizing risk by calculating the impact of an attack along with the likelihood. A laundry list of medium-severity security flaws that are highly exploitable will need just as much attention as a single critical-severity finding that is less likely to be exploited.
Furthermore, consider additional security measures that may go beyond regulatory requirements. Security can often be positioned as a competitive advantage to your customers.
2. Empower Your Application Development Teams
While your security team may be the evangelists for secure coding practices, your development team is your standard-bearer. Communicating your security goals with developers will help them understand the value they bring to the business.
Developers often don’t get the training they need to efficiently fix application vulnerabilities and, if they do, the training often doesn’t pertain to their tool set. A Java developer is not going to be receptive to training on how to fix an injection flaw in Python. Show your investment in their success by building a training curriculum that is relevant to the tools your development team uses and addresses any wide knowledge gaps.
When you do make the decision to invest in an application security solution, it absolutely needs to integrate into the existing pipeline. Developers will not adopt your solution if it creates bottlenecks in their delivery sprints.
3. Respond, Don’t React
Building an action plan for an unforeseen security event can seem like an exercise in futility, but rest assured that building a team of dedicated application security experts will help streamline your response plan when vulnerabilities are exposed in your code or a zero-day threat is revealed. Building a cross-functional team across security and development is absolutely necessary to establish a defined process to fix vulnerable code and ensure that the remediation process doesn’t bog down your speed to market.
Additionally, understand your application security testing cadence and balance your testing suite with multiple technologies. For example, static analysis monitors data flow and seamlessly integrates into most agile, continuous integration and continuous delivery (CI/CD) and DevOps pipelines. Dynamic analysis lends itself more to internet-facing web applications and can be a routine step in your QA process just prior to deployment. Of course, with the proliferation of open source libraries into most production apps, open source testing has become more vital than ever. Having a designated task force to oversee a balanced application security testing suite will allow you to respond to threats instead of simply reacting to them ad hoc.
4. Communicate and Share Application Security Best Practices
As important as it is to communicate gaps in your program, it’s just as important to communicate and share triumphs as well. Invest in an application security solution that provides actionable metrics and dashboards that you can share with your executive team to relay progress within your security program and demonstrate return on investment (ROI).
Whichever way you decide to track progress, share those successes with the rest of the organization and make sure you share best practices with the broader team. For example, a “security champions” program is a proven method to inject security into your company’s DNA across multiple functional teams. Specifically, a security champion within your application development group can help cultivate secure coding practices and act as a peer adviser for addressing security findings.
Lastly, remember to recognize and give kudos to the teams and individuals that help realize the long-term objectives of your application security program. You can’t go it alone, after all.