Starting an AppSec program of work is no small feat, be that at a small or large corporation. This journey requires a lot of planning, dedication and of course, sweat. Before you even get started, here is a small hint: it's slightly more than buying a tool and getting some boxes checked.
Over the years, we compiled a list that every CISO and AppSec manager needs to consider before embarking on this journey.
1 - Why are you doing it?
This is the question you should have an answer to before starting any project. For AppSec you have a few big drivers (just after "my boss told me to"):
- Compliance to regulations – whether you're in the healthcare, banking, or other highly regulated market, this is not unknown to you. You need to follow what the regulators ask you to do or you’re out of the market. There are a multitude of standards defined depending on industry, country, etc. For example, NIST, HIPAA, PCI-DSS, and GDPR are all well-known and you need to align your product to the relevant ones for your organisation.
- Err… there was a breach – believe it or not, house alarm demands increase with break-ins. With AppSec, it’s no different. If you had a breach due to a software vulnerability, you know the impact it may have to your business as a whole.
- Doing what's right – needless to say, producing secure software is the right thing to do—even for bad guys. You don't want to end up on the 8 o'clock news explaining to your customers what happened with their data. This not only helps them, but it also helps you protect your brand reputation and build a positive brand differentiator.
2 - How much code do you have?
Identifying the asset to protect is a security team’s nightmare. Understanding how much code, apps, and repositories you have will give you an idea of the size of the issue and will also help you select what is important to you. These are questions you should be asking: How many lines of code? What are the languages used? What are the frameworks used? How many code repositories? How many applications? Are they exposed to the internet? Are we using open-source libraries?
3 - What tools do you already have in place?
More often than not, an organization’s AppSec program is built on top of an already established DevOps environment. Teams have already invested time and money setting up that environment and the developers are already accustomed to a certain ecosystem.
For an AppSec program to be successful, it needs to integrate seamlessly to that existing pipeline. These are the questions you should be asking: Where are my repositories? Which SCM is the team using? Do we have a CI/CD tool? What is the IDE being used by our developers? Are those tools installed on-premises or are we using a cloud service?
4 - How many developers do you have?
Ultimately, a lot of the AppSec effort will be done by the people on the ground. It is an understatement to say that one of the keys to success is securing buy-in from the development team. They are the ones developing the code, they will receive the output of any tool you implement, and they will have to remediate any vulnerabilities found.
Without the developers, there is no code—secure or not. This will give you the people dimension of the program.
5 - What is the size of your current AppSec team?
In an ideal world, every developer in the organisation is able to do AppSec. With proper training, they can get there. At the same time, you need to start somewhere, with a kind of "AppSec Center of Excellence", which will get your results, triage them, and help your developers to remediate the findings. Are you going to have AppSec as a separate team? Will they be embedded into the squads? Do you have a good Developer-AppSec expert ratio? Do I have enough people to support my developers?
6 - What is your current development process?
A lot of AppSec teams think about the tool and the people, but the third dimension—the process—is also very important for a successful implementation of an AppSec program. Understanding how things are done today will help you identify the best place to perform the changes needed to introduce security within the development process.
You don't want to completely change what you do today, as that could upset the organization’s existing inertia and make it harder for people to accept. You want to continue delivering faster and safer updates to your applications.
7 - Where to start?
Introducing an AppSec program may seem overwhelming, especially after you understand the context and the impact the work will have to your organization. Big-bang approaches to change rarely work in the real world.
As with any new program, the important thing is to slice, dice, and prioritize the effort and iteratively transform the process, to better ensure success. Looking back at the information you've already collected, you should understand already:
- Why are you starting or changing your AppSec program?
- What existing tooling do you already have in place?
- What are the first applications/repositories to address?
- Where you want the AppSec platform to integrate?
- Which are the teams that need to be trained first?
Whether it is helping you understand how mature you are in your AppSec journey with our AppSec Program Methodology & Assessment (APMA), empowering your organization with our integrated AppSec platform, Checkmarx One™, or supporting your developers through interactive training with Codebashing™, Checkmarx is your partner on this journey.
To learn more, check out Why Checkmarx is the Right Choice for you and your organization.