Leveraging an AppSec maturity framework can help organizations realize where they need to focus their efforts first.
The Checkmarx AppSec Program Methodology and Assessment (APMA) framework helps enterprises adopt a risk-based scanning and remediation strategy. It integrates an understanding of the risk surface, through the creation of a business application inventory with suitable risk ratings, coupled with effective preset management and application onboarding.
After conducting more than 100 assessments of enterprises around the world, we have come up with five tips to build an impactful AppSec program.
1. Risk Rank Your Business Application Inventory
One of the pillars of effective application security is understanding your risk profile. Not all applications are created equal. A risk-rated inventory is targeted and efficient way to allocate security resources to an application proportionate to its criticality.
Organizations must keep a detailed inventory that takes into consideration factors like whether it’s internal- or external-facing, data sensitivity, and application criticality. This becomes the backbone for informed decision-making, allowing development teams to prioritize their effort on the most critical applications. Organizations that do not have a business application inventory tend to have with poor tool deployment, affecting the overall developer experience.
How do organizations stack up?
- 72% of assessed organizations don’t have a risk rated inventory
- 65% of those assessed organizations that didn’t have a risk rated inventory either did not have their scan results reviewed or did not have developers execute a remediation process.
- 75% of assessed organizations that have a low business application inventory maturity also have only rolled out AppSec testing tools for less than 50% of business applications.
2. Optimize Presets for Targeted Scanning
Organizations have different goals -- compliance, focusing on high-risk vulnerabilities or taking a comprehensive look at all potential risks. AppSec solutions should be tailored to the goals to improve result fidelity and developer experience.
50% of assessed customers have not taken the first step to select the preset that aligns with their security strategy.
Applying a risk-based security strategy involves preset optimization. While default presets are comprehensive, a "boil the ocean" approach can overwhelm development teams and lead to too much noise. The result may lead to developers fixing non-exploitable vulnerabilities, rather than the critical vulnerabilities that pose a significant security risk. The volume of security testing results, coupled with existing workloads, may lead to frustration and resistance.
Organizations should adapt their scanning strategies according to their risk tolerance and business goals. Checkmarx advocates a three-step preset reset plan to mitigate result fatigue and enhance developer adoption:
- Step 1 – Narrow the preset: Introduce narrow aperture presets.
- Step 2 – Identify and tune outlier queries: Iteratively search for outlier query results, customizing them for best results.
- Step 3 – Focus on critical applications: Channel efforts towards critical applications, deepening SAST scanning, and query customization.
A measured approach to preset customization significantly affects the long-term satisfaction and experience of development teams.
3. Onboard Applications in a Structured Manner to Create a Baseline
Developing a mature application onboarding process is critical to consistently review and remediate results. The onboarding process, encompassing initial scanning, result review, and SDLC integration, sets the stage for application security testing. It ensures that development teams are familiar with security testing processes.
This process includes tuning checks, rules, and queries, optimizing them for the specific application's architecture. A security architecture assessment adds another layer of refinement. Regular reviews ensure continuous alignment with evolving application architectures.
Why is this important? Here’s some real-world data:
- Only 21% of assessed customers have a structured process to onboard applications.
- 75% of assessed customers with mature triage and optimization process review results on a consistent basis. 20% of them even break builds when processes are violated.
- Customers who have a mature triage and optimization process have a 10x better policy enforcement rate.
4. Take Advantage of Automation and Integration for Continuous Security Testing
Automation is key. Integrating automated security testing tools into the development workflow streamlines processes, reduces manual efforts, and ensures consistent results. Organizations with more mature AppSec programs automate security testing to enable more successful review and remediation processes.
Automated tools offer real-time feedback, enabling issues to be resolved early in the development process. This prevents vulnerabilities from escalating. Developers receive immediate feedback when they commit changes, addressing security issues when they are most attuned to the code, fostering a more agile and secure development process.
Organizations that automate the testing process reduce friction within their SDLC process, therefore improving their developer experience.
Lack of automation has a direct impact on result review and remediation.
- 64% of assessed customers with a high level of scan automation were more likely to have development teams that reviewed results and remediated vulnerabilities.
- 77% of assessed customers that didn’t have scan automation also had had development teams that didn’t review results or remediate vulnerabilities.
5. Educate Stakeholders about AppSec
The success of any AppSec program is tied to the education given to stakeholders. Developer training programs that emphasize secure coding practices, coupled with comprehensive documentation and code samples, improve the maturity of AppSec practices. Yet, 39% of assessed customers have no education and guidance strategy and only 32% of assessed customers have implemented higher maturity education and guidance strategy.
Education should be tailored to four key roles:
- AppSec management
- AppSec experts/champions
Organizations that have a comprehensive education and guidance component see a 25x-30x higher rate of results review and remediation process execution by development teams.
The APMA Framework: A Roadmap to Enhance Developer Experience
When the speed of development is non-negotiable, integrating robust application security measures is a must. The APMA framework, distilled from real-world assessments, provides a roadmap for organizations to not only secure their applications but also enhance the developer experience. As organizations embark on this journey, they not only fortify their defenses but also foster a culture of security that resonates throughout DevOps and the SDLC.
Organizations can get started with APMA by taking the free digital assessment. In just a few minutes, they can obtain actionable recommendations to get started on their AppSec journey. Larger enterprises can contact us for the full assessment.