Skip to main content

Quick Tips for Building an Effective AppSec Program – Part 3

June 07, 2018

This is the last post in my series on creating an effective AppSec program within your organization. In my last post, we discussed the importance of toolchains, defect tracking, and establishing vulnerability management processes to help your AppSec and development teams stay on top of remediation efforts in an efficient and programmatic way.

Part 3 App Sec Blog

In this post, we’ll spend some time exploring how to enable the various stakeholders across the organization, how to measure the effectiveness of your AppSec program, the importance of a knowledge management system, and application runtime protection. So let’s get started.

Training and Awareness

Technology is no substitute for knowledgeable security professionals that can connect conceptual knowledge to prescriptive secure coding practices. Cultivating skilled subject matter experts through instructor-led and computer-based courses, and training and certifying developers in offensive security, will equip them to design and code defensively.

Providing appropriate, relevant, and comprehensive AppSec training to all personnel involved in the software development life cycle (SDLC) will maximize investment that pays dividends by way of prevention. As the saying goes, an ounce of prevention is worth a pound of cure.

Refer to my earlier blog, Secure SDLC Lessons Learned: #5 Personnel, for more information on training and awareness.

Measuring and Reporting

Measuring an AppSec program’s effectiveness is vital for maintaining alignment with your organization’s risk management strategy. Each measurement should not only support business and risk management objectives but be appropriate to the AppSec program’s level of maturity.

Metrics tend to evolve into key performance indicators (KPIs) and key risk indicators (KRIs) over time. Mature programs will collect data from instrumented processes and activities. When reporting program KPIs and KRIs to executive management and other stakeholders, be sure to communicate context (the when/where/how) to avoid misinterpretation. Avoid metrics and visualizations that bring no value to your program.

For more on metrics and reporting, check out our blog, Secure SDLC Lessons Learned: #4 Metrics.

Knowledge Management

Knowledge Management (KM) solutions can take many forms: wikis, intranets, and document repositories. Their purpose is to equip development teams to design software securely by default, taking lessons learned through training and remediation activities, and capturing it as tribal knowledge. Design standards, secure coding best practices, and common coding pitfalls may also be included.

Effective KM solutions are centralized, accessible across teams, collaborative, relevant, and searchable. More mature programs incorporate targeted, proactive guidance into their KM solution. Data can be mined from prominent classes of vulnerabilities in defect tracking solutions.

If interested, my blog, Secure SDLC Lessons Learned: #3 Knowledge Management, provides more information.


Organizations having visibility into current application run states and states over time can better detect and defend against attacks. Design self-defending applications to log critical security events, such as authentication and authorization failures, to a centralized logging platform.

Continuous security monitoring and defined incident response procedures are native to mature AppSec programs. Runtime application self-protection (RASP) technology should be considered for higher-risk applications requiring greater defense-in-depth.


An AppSec program is much more than leveraging automated tools that evaluate applications for security flaws. It contains many elements that together form a cohesive strategy for software assurance. Certain components of your program may be comparable to other organizations. Ultimately though, your organization’s risk profile and tolerance, SDLC, and technology will result in a program that is uniquely your own.

    Shawn Asmus

By: Shawn Asmus

Practice Manager, Application Security, CISSP, CCSP, OSCP

See More

Related Blogs

March 14, 2018

Observations on Smoke Tests – Part 1

Smoke testing in the traditional definition is most often used to assess the functionality of key software features to determine if they work or perfo...

See Details

May 02, 2018

Quick Tips for Building an Effective AppSec Program – Part 2

In my last blog post, I talked about what an application security (AppSec) program is and how an organization would go about building a formal program...

See Details

April 11, 2018

Quick Tips for Building an Effective AppSec Program – Part 1

An application security (AppSec) program can be defined as the set of risk mitigating controls and business functions that support the discovery, reme...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.