4 Steps for Establishing an Effective AppSec Strategy

by Joanne Godfrey on September 11, 2020

Companies are rushing to launch digital transformation initiatives and roll out new software products and services at greater speed than ever before. But one false move, such as releasing insecure software that facilitates the loss of company or customer data, can destroy your business.

The easiest way, by far, to protect your business and your customers is to build software products that are secure from the start. With software now defining and driving all businesses, the need for an AppSec program has never been more critical. But ramping up an AppSec program is not a simple process. You need time, staff, expertise, not to mention budget, all of which are generally in short supply right now. You also need to figure out a strategy for the program, one that supports your own specific business needs, culture and resources. This strategy should encompass four core components: the ends, the means, the how and the why.

The Ends: Figuring out what to protect

Not all applications are of equal value. Some are internal facing, some are external facing, some utilize customer data, some are informational, etc. So, the first thing to do when ramping up an AppSec program is to consider which are your most valuable assets. Is it your intellectual property? Sensitive customer data? Financial data? You’ll also need to understand how this data is used and by which applications, all within the context of your business. So, if your new web app is driving revenue and it’s offline, that’s bad for your business’ bottom line. But what’s far worse and much costlier is a breached application that allows malicious actors to gain access to your network and customer’s personal data.

Through inclusive dialogue with business owners, risk, compliance, security and engineering, you’ll to need determine the value and criticality of your assets—as well as the applications that use them. In turn, this assessment will drive the means and ways you protect them.

The Means: Lining up the right tools for your AppSec program

There are many technologies available today to protect critical data and applications, as well as infrastructure. But building secure products from the outset is by far the easiest and most cost-effective way. In practice, this means running scans to discover vulnerabilities during the software development life cycle (SDLC), then analyzing, correlating and prioritizing the data from these scans so developers can easily remediate vulnerabilities as quickly as possible.

Sponsorships Available

So, the second component of an effective AppSec program is to line up the right tools to discover and manage vulnerabilities in your business-critical applications. Selecting the right scanning tools will depend on the languages and frameworks in your application portfolio, performance requirements and budget, as well as how these tools are implemented throughout your specific SDLC.

One way to ramp up an AppSec program is to use open source security scanning tools. Many open source security scanning tools deliver powerful capabilities. They are free and readily available, making them a practical choice for companies seeking to implement an AppSec program quickly. But regardless of whether you’re using commercial and/or open source AppSec tools you’ll need to be able to centrally orchestrate and manage these disparate tools to gain real value. You’ll also need to find a way to correlate and prioritize findings in order to make the data actionable and operational for security and development teams.

The Hows: Facilitating productive collaboration between security and development

This leads us to the third component. There needs to be—or you need to build—a committed relationship between the security team responsible for finding security vulnerabilities and the engineering team who actually performs the remediation work.

We often hear the engineering team isn’t super interested in having the security team run assessments during build pipelines. Or, they don’t want to hear about the litany of security issues discovered because they already have a deep backlog.

This is where both teams must get on the same page regarding risk. There needs to be an understanding that application security vulnerabilities are a risk to the business in the same way as financial risk or market risk. Which applications should be scanned, when they should be scanned, what vulnerabilities gets fixed, when should they be fixed and how they get fixed must be aligned with what’s best for the business. Moreover, vulnerability findings must be delivered to developers in an easily consumable and useable format—without unnecessary “noise”—so they can quickly and easily focus on fixing the source of the problem, all without disrupting development processes. Ultimately, by working collaboratively with security, the engineering team can become more efficient and effective, producing higher quality code from the get-go.

The Whys: Communicating effectively with executives

The fourth component of a successful AppSec program is about effective communication. Salient AppSec information must be communicated to business executives and application/product owners in risk terms they can relate to, such as potential loss of revenue; reputation and brand impact; criticality of security vulnerability (high-medium-low); time and cost of remediation (and the impact on other strategic initiatives); compliance violations and legal implications. Obviously, timing is important too. The earlier you flag a security problem with a business-critical application, the quicker it can be addressed. This way, you can hopefully avoid any meaningful impact to your business.

Over time, the business changes, the economic environment changes, people and their perspectives change, breaches happen. And any of those things can be a tipping point in changing perceptions around application security. But to stay competitive while growing business—all within a volatile threat landscape and unpredictable economy—one thing remains constant. Security teams, engineering teams and business executives must work hand-in-hand to understand, assess and mitigate risk. They must continuously measure the impact and results of the program—and then iterate and iterate. The success of your business depends on it.