When I was a child, I didn’t dream of becoming a legendary football player or a rock star. My dream was to become a Transformer: specifically Optimus Prime. I am sure some of you in the audience shared the same dream. As you can probably guess, unfortunately, this dream did not come true. But what I “am” going to share with you today is how to become something even better than Optimus Prime. We’re going to embark on a journey that will make you nothing less than a Transformer within your own organization.
The Seven Steps to Success
Let me take you through the seven simple steps that will help you become an AppSec Transformer.- First and foremost, you will require Executive Sponsorship. Senior Management buy-in is essential to secure resources and funds for your AppSec program.
- Once you get management approval, it’s time to define the goals and set rules for specific AppSec policies. For example, you may decide to focus primarily on the OWASP Top 10 to start your security program.
- Remember with great power comes great responsibility. You and your organization must embrace software security solutions that are fully capable of operating in a highly-automated fashion, within the development “tooling” in use, and at scale.
- This is the perfect place to clear up a common misconception. When it comes to application security testing (AST) solutions, in order to mitigate the risk of software exposure, you need to identify every vulnerability throughout your software development life cycle (SDLC). It’s all about multiple layers, and multiple touchpoints. While it may seem obvious that no single AST solution can fully protect your applications, you’ll need to make use of different tools and solutions to achieve the desired results.
- Once the vulnerabilities have been identified, you’ll need a solution that can correlate the results across various AST products to help further “automate the improvement” of the results quality. For example, a vulnerability that is found by both SAST and IAST means that it is probably a true positive. (Additional synergy can found between SAST and SCA, in addition to SCA and IAST).
- Once you’ve achieved your AST goals, it’s time to move to the most important next step—vulnerability remediation. Focus on fixing what matters most. This is achieved by fine tuning remediation efforts via the use of advance methods like machine learning, AI, automated prioritization, and policy tuning. The end result, of course, is to simplify the job of both developers and security professionals, delivering a high level of automation at great scale.
- Finally, you want to make sure you can easily track and improve the software security in your organization. By creating specific KPIs based on security status, business-specific application status, project-specific security trends, aging, burn down rates, density and top vulnerabilities views, you can make sure you reduce your software exposure risk to a minimum.