The One Thing Necessary for a Healthy AppSec Program

Jack Palance had the right idea in City Slickers. “Do you know what the secret of life is? One thing, just one thing. You stick to that and everything else don’t mean shit.” Billy Crystal says, “That’s great, but what’s the one thing?” The response: “That’s what you’ve got to figure out.” The converse was well-stated in The Princess Bride. “If you haven’t got your health, you haven’t got anything.”

I believe this to be true of a healthy AppSec program as well. If you have this one thing, everything gets easier. Conversely, if you don’t have it, everything is hard. If you don’t have this, it should be your top priority. It has nothing to do with the tools you build or buy. Your vendor can’t solve it for you. Automation won’t fix it. Changing development methodologies can’t save you either. It doesn’t even matter how much you understand about security. It’s something you need to build into the fabric of your company. What is it already, you ask? Accountability.

I have had exposure to hundreds of AppSec programs. I get to see them from the inside. I get the pleasure of consulting with companies to build and improve their program over time. There is exactly one thread that ties together programs that are healthy and making solid progress on risk reduction. Let me be clear that accountability as I use it is not punitive. It is based in pride in one’s work. Think of it as taking responsibility to meet the security needs of the business. It’s an internal motivator and not one imposed upon us. Typically the business holds the security team responsible for application security, but do they write the code? Why shouldn’t the people that create the problem be responsible for fixing it as well. It’s no different than making a DevOps team responsible for managing their work in production. It fundamentally changes behaviors.

Know that getting accountability in place is the beginning and not the end. Instead of pushing for compliance and putting gates in the way of releases, there will be a pull for your talent and expertise to provide clarity and assistance. There is lots of great stuff that will need to be built on this strong foundation, but that’s for another post.

Pete Chestna

Avatar photo

Pete Chestna

Pete Chestna has more than 25 years of experience developing software and leading development teams, and has been granted three patents. Pete has been developing web applications since 1996, including one of the first applications to be delivered through a web interface. He led his company from Waterfall to Agile, and finally to DevOps in addition to taking the company from a monolithic architecture to one based on microservices. Since 2006, Pete has been a leader in the Application Security (AppSec) space and has consulted with some of the world’s largest companies on their AppSec programs. In addition to his role as a contributing editor at DevOps.com, he now shares his experience by speaking internationally at both security and developer conferences on the topics of AppSec, Agile and DevSecOps. Buy him a whisk(e)y and he’ll tell you all about it.

pete-chestna has 2 posts and counting.See all posts by pete-chestna