We know how important AppSec is to your business’s success. With potential threats growing and evolving due to the proliferation of open source code and Application Programming Interfaces (APIs), AppSec is becoming something that enterprises can no longer view as optional. To combat such threats, it is important to combine the implementation of appropriate Appsec technologies with a robust, yet practical and easy to implement Appsec methodology, so that everyone in the enterprise will be align on the goals and steps needed to get results. While Appsec methodologies have existed for some time, it is time to take a fresh look at their effectiveness and to come up with a more light-weight and easy-to-adopt framework that will fit the modern, fast-pace, ever-changing enterprises of today.
The Forrester’ 2023 State of Application Security Report states that integrating AppSec across the entire SDLC will be necessary in order to protect your organization today and in the future. Security is no longer an issue to be considered in silos or at the end of the SDLC. What’s required is an AppSec Maturity Model that can help organizations develop a strong AppSec program that can secure their applications from the first line of code to deploy and runtime in the cloud.
Let’s talk about planning for this model and choosing the right approach to deal with a changing and ever more threatening security landscape.
Clarity Amongst Acronyms
Which framework should you choose to create and improve your AppSec program? Not only are the threats changing all the time, but technical jargon and acronyms can make it even more difficult to understand what certain security models do.
Before we go any further, here’s a quick look at two key models you should know.
OWASP SAMM (Software Assurance Maturity Model)
OWASP is the Open Worldwide Application Security Project. This is a nonprofit foundation that works to improve the security of software through:
- Community-led open source software projects.
- Over 250 local chapters around the world.
- Tens of thousands of members.
- A leading educational and training conference.
OWASP SAMM aims to provide an effective and measurable way to analyze a development lifecycle and make it more secure. The model can be applied across the complete SDLC and is also designed to grow with the enterprise. It can be tailored to specific organizations and the risks they face. This is achieved by:
- Evaluating current software security practices.
- Building a balanced software security assurance program in well-defined iterations.
- Demonstrating tangible improvements.
- Offering the ability to define and measure security-related activities throughout an organization.
BSIMM (Building Security In Maturity Model)
This was one of the first ever AppSec maturity models, created15 years ago. The assessment helps you to compare your software security program with over 100 organizations across different industry verticals. The result is an objective, data-driven analysis that gives AppSec managers direction on decisions about resources and priorities.
A Fresh Approach to AppSec Maturity Models
Are these existing AppSec maturity models still relevant in 2023?
A common issue is they often provide too much information, making it difficult to know where to start. Another issue is stakeholder management – many models focus on the needs of developers or CISOs, but rarely AppSec managers and developers. The result is a lack of buy-in across your organization.
These models put a heavy emphasis on agility and the ability to adapt. Whilst there is talk about living in a post-agile world, the dynamic nature of AppSec threats means there is still a great need to adapt rapidly and implement fast feedback cycles. However, a purer version of agile thinking is unsuitable for AppSec. The environment changes too quickly, meaning time spent carefully crafting multi-phase plans can easily feel wasted.
A Better Way – Application Program Methodology Assessment Framework
At Checkmarx, we developed our own methodology to take AppSec frameworks and methodologies to the next level. The result is the AppSec Program Methodology and Assessment (APMA) Framework.
Experience tells us that the most efficient way to approach your AppSec maturity model is to decide on a target state – and then plan how to get there step-by-step. Decide what actions you need to take to go from your current situation to the desired one. Then work in short iterations with a few actions (sprints) to close the gap. The result is a clearer sense of program progress as the desired state slowly comes within reach.
Security offerings should be straightforward. APMA helps organizations better understand the capabilities they need to improve their AppSec posture and protect their business.
There are five dimensions to our framework that can provide efficiency and effectiveness to any AppSec program and bring all stakeholders together:
- Strategy and Governance - focusing on high level goals and objectives, policies and KPIs, usually the CISO’s responsibility.
- Security Testing (Tactical) - looking at the processes of an AppSec program, often the responsibility of the head of AppSec.
- Security Testing (Operational) - examining the tools required and how to use them, usually the responsibility of the head of application development in conjunction with AppSec management.
- Security Testing (Architecture and Scale) - the infrastructure required to perform security testing, mainly the responsibility of the IT/infrastructure manager.
- Planning - breaking everything down into work packages, a timeline and resources, mainly the responsibility of project manager, program manager and delivery manager.
Whatever model you end up choosing, you should ensure that it is best tailored to your organizational needs, so that employees, suppliers, and customers are secure for the foreseeable future.
APMA can offer you the support you need on your journey to achieve your AppSec goals and, importantly, sustain that security. If you're interested in how APMA can help mature your enterprise AppSec program, then learn more here.
Get started with APMA by taking the free digital assessment. In just a few minutes, you can obtain actionable recommendations to get started on their AppSec journey. Larger enterprises can contact us for the full assessment.
