Have you been following our blog series guiding CISOs through the “Wild West” of application security? This is our fifth installment of a six-part series offering guidance to CISOs who are looking to survive the seemingly lawless world of application security. Many of these security leaders have shared their concerns about this increasingly challenging landscape, including the many ways it feels like the new frontier, and we are here with valuable insight and real solutions for CISOs looking to successfully tame this modern landscape.
Pioneering something means evaluating both its risk and its potential. In the old days, pioneers captured opportunities—be it gold or silver, cattle ranching or farmland—to forge a better future for themselves and others moving to the area. And eventually, what had once been an open frontier became a boomtown, a mature ecosystem able to support the continuing prosperity of the area.
Building a robust application security program is precisely the same. It is a landscape that takes time and effort to establish—but, with the right attention, will deliver business real value. In this way, the goal of an evolved CISO is to foster the culture of an application security boomtown, where progress and security are paramount.
Application Security is a Wealth-Creating Resource
Just like early pioneers hoping to strike it rich (or at least make a good living) off the natural resources around them, application security also generates wealth. And like the frontier, it needs a full support structure to thrive. Independent studies from the industry agree, underscoring the financial impact of a mature application security program.
Breaches originating from a third-party—such as a partner or supplier—cost organizations $370K more than average. It’s also been concluded, integrating security into the software development process (DevSecOps) is associated with lower-than-average data breach costs. These are just a few of the components of a mature application security program.
Getting From Here to Boomtown is an Evolution
Boomtowns are characterized by rapid growth, but they don’t happen overnight. They begin with the initial discovery, and then other like-minded individuals arrive. An infrastructure to support that primary activity—mining, ranching, etc.—gets built. Then a formal supply chain develops. And finally, a broader ecosystem evolves to support the entire community. Application security initiatives within a company go through a similar evolution. A maturity model gives you guideposts to help you navigate the journey.
Maturity models are helpful frameworks to assess the current effectiveness of an initiative and determine what capabilities are needed to improve. The Building Security in Maturity Model (BSIMM) is one AppSec maturity model. OWASP has a DevSecOps Maturity Model, and there are plenty of others. While each has its own nuances, they share certain characteristics. They all define different stages of maturity, so you can determine if you’re in Wild West territory or a thriving boomtown.
Every application security maturity model begins with the most immature stage. There may be some security tools and practices in place, but they tend to be manual and/or ad hoc. But this doesn’t mean it’s all uphill. The good news is, you can quickly and cost-effectively accelerate your AppSec program right now in a few key ways.
There are usually one or more additional stages you must go through on your way to full maturity. The number and characterization of those phases differ from model to model, but they all provide guidance for continual progression. The progression is what’s important, not a to-the-T adherence to the model. The model is not a rigid mandate, and this is not a box-checking exercise. Your AppSec program derives its value from meaningful improvements.
The final stage of every model is what you’re ultimately striving for: a fully mature application security program. To some degree, this will be aspirational as there will always be potential for improvement. This is a good thing, as it keeps you from resting on your laurels.
The Building Blocks for Your Boomtown
No matter where you are in your AppSec journey, you need to measure and manage the integrity of your program. To do this, you need three key capabilities:
- Visibility: If you can’t see where you currently stand, you won’t know how to get to the next level. There are many different types of visibility, and a one-size-fits-all view won’t cut it. You need operational dashboards to provide overviews of application vulnerability information and data points— management dashboards to track development issues over time to monitor for improvements. And you need strategic dashboards to provide visibility into the organization’s risk posture to identify security gaps or blind spots.
- Orchestration: Increased levels of maturity in application security usually mean expanding the use of current scanning tools—and possibly acquiring new ones. But tools don’t execute and manage themselves. That’s why most models include automation as a key factor. While critical, automation alone isn’t sufficient. Automation eliminates manual security work within specific areas of the SDLC. Orchestration provides an overall cohesive structure for all your security scanning tools and automated processes.
- Governance: As a CISO, you already know you’re accountable for ensuring the software your business develops is secure. You have to be able to prioritize and mitigate application vulnerabilities to maintain your security posture—and demonstrate to regulators, customers and your board that appropriate controls are in place. This requires a decision-making framework that aligns with your organization’s risk profile.
Keep Your AppSec Boomtown From Going Bust
While many Old West boomtowns ultimately collapsed into ghost towns, you can avoid the same fate in your application security program. Unlike natural resources that become depleted, software security can continue to grow as you mature your program.