Practice Manager, Application Security, CISSP, CCSP, OSCP
Shawn Asmus is a practice manager with Optiv’s application security team. In this role he specializes in strategic and advanced AppSec program services and lends technical expertise where needed. Shawn has presented at a number of national, regional and local security seminars and conferences.
Quick Tips for Building an Effective AppSec Program – Part 3
This is the last post in my series on creating an effective AppSec program within your organization. In my last post, we discussed the importance of toolchains, defect tracking, and establishing vulnerability management processes to help your AppSec and development teams stay on top of remediation efforts in an efficient and programmatic way.
In this post, we’ll spend some time exploring how to enable the various stakeholders across the organization, how to measure the effectiveness of your AppSec program, the importance of a knowledge management system, and application runtime protection. So let’s get started.
Training and Awareness
Technology is no substitute for knowledgeable security professionals that can connect conceptual knowledge to prescriptive secure coding practices. Cultivating skilled subject matter experts through instructor-led and computer-based courses, and training and certifying developers in offensive security, will equip them to design and code defensively.
Providing appropriate, relevant, and comprehensive AppSec training to all personnel involved in the software development life cycle (SDLC) will maximize investment that pays dividends by way of prevention. As the saying goes, an ounce of prevention is worth a pound of cure.
Refer to my earlier blog, Secure SDLC Lessons Learned: #5 Personnel, for more information on training and awareness.
Measuring and Reporting
Measuring an AppSec program’s effectiveness is vital for maintaining alignment with your organization’s risk management strategy. Each measurement should not only support business and risk management objectives but be appropriate to the AppSec program’s level of maturity.
Metrics tend to evolve into key performance indicators (KPIs) and key risk indicators (KRIs) over time. Mature programs will collect data from instrumented processes and activities. When reporting program KPIs and KRIs to executive management and other stakeholders, be sure to communicate context (the when/where/how) to avoid misinterpretation. Avoid metrics and visualizations that bring no value to your program.
For more on metrics and reporting, check out our blog, Secure SDLC Lessons Learned: #4 Metrics.
Knowledge Management (KM) solutions can take many forms: wikis, intranets, and document repositories. Their purpose is to equip development teams to design software securely by default, taking lessons learned through training and remediation activities, and capturing it as tribal knowledge. Design standards, secure coding best practices, and common coding pitfalls may also be included.
Effective KM solutions are centralized, accessible across teams, collaborative, relevant, and searchable. More mature programs incorporate targeted, proactive guidance into their KM solution. Data can be mined from prominent classes of vulnerabilities in defect tracking solutions.
If interested, my blog, Secure SDLC Lessons Learned: #3 Knowledge Management, provides more information.
Organizations having visibility into current application run states and states over time can better detect and defend against attacks. Design self-defending applications to log critical security events, such as authentication and authorization failures, to a centralized logging platform.
Continuous security monitoring and defined incident response procedures are native to mature AppSec programs. Runtime application self-protection (RASP) technology should be considered for higher-risk applications requiring greater defense-in-depth.
An AppSec program is much more than leveraging automated tools that evaluate applications for security flaws. It contains many elements that together form a cohesive strategy for software assurance. Certain components of your program may be comparable to other organizations. Ultimately though, your organization’s risk profile and tolerance, SDLC, and technology will result in a program that is uniquely your own.