Skip to main content

CISO Perspective: Successful Secure Application Development

October 01, 2014

Organizations must focus on many areas within the business to ensure corporate data and assets are secure. Even though there are competing priorities, application security must be an important component of a successful information risk management program. This is even more important now due to the growing trend for applications to reside outside the corporate perimeter. Given the potential impact to business delivery timelines, it is essential that information security practitioners receive and maintain executive management and key stakeholder support.

It is also important that the program be aligned with the goals of the business and focused on appropriate management of risk. There is no “one size fits all” application security program, but there are key activities for ensuring that your organization’s application security is right-sized for your company. 

Here are five tips that can help you build a successful application security program.

  1. Establish a cross-functional team to define the state of software application security and any opportunities to improve. Be sure that there are representatives involved from the various software application development teams, including non-IT stakeholders who may be developing software with third parties and leveraging cloud services for managing critical company systems and data. 
  2. Identify and evaluate the options for addressing application security concerns as a team. For example, when do you leverage source code analyzers, independent pen testing services, etc.? Most likely a combination of services will be utilized based on a tiered risk model. Input from the software development team and key stakeholders is necessary for the organization to embrace the new process and the associated changes to the development life cycle. Also consider that companies don’t generally like to pay more for testing than creating or hosting the software, unless the risks are clearly understood. 
  3. Document the application security program and ensure that the process is understandable and sustainable. Be sure that stakeholders understand the terminology and methodology to avoid gray areas. For example, if the methodology includes sampling for defects, be sure that individuals don’t expect all such instances of a vulnerability to be identified during testing.
  4. Develop training and awareness materials for developers to refer to as they create applications. This includes identifying any patterns or APIs that are commonly used for authentication, privacy, fraud detection, etc. To be cost-effective you may also want to leverage training programs that are available on the Internet or via subscription. As the program matures, consider whether you should test developer understanding and be sure to celebrate success when applications launch with zero defects. Metrics are important to show progress and business value.
  5. Obtain executive management support. Inevitably, someone will attempt to promote an application to production with a high-risk issue. The information security program must have support for assessing the risk to the company, especially if company policy is to deny the launch. If executives do not support the application security program or see its value, it will likely fail. The tone at the top is vital to ensuring that there is appropriate ongoing funding, including security tools and staff training. 

In summary, by focusing the application security program on business risk and benefits, organizations will reduce direct attacks to systems and data via insecure code. A pragmatic, risk-based application security program will help highlight the value of information security services to the organization. With executive management and stakeholder support, the information security practitioner can stop playing judge, jury and bad cop by him or herself.

Related Blogs

December 02, 2015

A Place at the Table - Part 1

Last year, I put together a presentation centered on women in IT security called, "A Place at the Table." The talk explored the reasons why women may ...

See Details

April 08, 2015

Preparing for a Boardroom Discussion - Expect the Expected

Organizations must focus on many areas within the business to ensure corporate data and assets are secure. Even though there are competing priorities,...

See Details

December 03, 2015

A Place at the Table - Part 2

In the first part of this blog series, I explored the shortage of women in IT security and talked about the fact that women have been a part of techno...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

August 01, 2016

Security Strategy Assessment

Learn how we deliver the tools to build successful security programs that are business-aligned and threat aware.

See Details

April 20, 2015

Leveraging IPAM in your Security Program

Internet protocol address management (IPAM) is a task often reserved for the networking or telecommunications team, and most security practitioners ar...

See Details

July 21, 2015

Application Security Solutions

Learn how Optiv can help with web, email and application protection.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.