AppSec Programs: Tips on How to Implement Them and Convince Leadership

Maria Schwenger
August 23, 2022

Nearly 85% of security professionals in a 2021 survey from Entrust said that vulnerability issues occur at the application level. And yet, only 24% of the participants were implementing necessary steps to protect app data. The positive in the survey is that “Nearly all IT pros plan to add application-level data protection functions in the next 12 months”. And this is very important, because vulnerabilities exposed as part of the app layer present a significant threat to organizations of all sizes. If you think like a hacker, you’ll ask, “Why would I attempt to bridge a (usually) well-guarded perimeter, when I can more easily exploit the application’s code and get where I want to be with minimal effort?”

On the other side, vulnerabilities in the application layer are on the rise today. Significant technical debt from legacy code, accelerated migration to cloud, insufficient skills when writing new applications or configuring cloud workloads, rapid development with DevOps quickly generating new code (without proper security design), etc. become the key contributors. This is where a strong AppSec program plays a critical role in ensuring weaknesses are identified and resolved before they become serious security flaws in our production environments.

Still, organizations remain hesitant to invest in AppSec, and making a business case for AppSec is commonly perceived as a tough ask. Although this is predominantly due to the lack of understanding of the importance of AppSec, other factors are also at play: AppSec tools can be viewed as expensive (especially when manual integration of multiple tools is required), and AppSec skills are sparse as well. 

Why AppSec Needs a Business Case

Within companies there are hurdles in the way of accepting the need for AppSec:

1. Corporate mindsets need to change

  • Senior stakeholders need to understand the value of a mission-critical risk management and mitigation resource like AppSec.
  • Most often there’s no detailed AppSec design and implementation plan in place to help technical and business stakeholders to understand the business viability of AppSec. Build the transparency your organization needs.

 2. Limited budgets of security departments

  • These budgets need to be divided up among competing priorities.
  • AppSec budgets need to be presented as an investment whose ROI will be beneficial to the organization’s bottom line.

3. Consistent maintenance required

  • A robust AppSec system is a multi-year, multi-level exercise that requires time, resources, and effort.

4. Developers need a strategic–rather than a tactical–mindset

  • There is demand for trained developers (AppSec Champions) who can present the need for AppSec cogently to company management and secure a buy-in.

How Can AppSec Stand Up and Be Heard?

It is an unfortunate reality that AppSec comes into the picture only after an event like a security breach occurs. Rather than as a reaction to crises, AppSec should be presented as a strategic tool that blends seamlessly into the company’s cloud strategy and IT infrastructure. There are a few ways of doing so:

1. Raise awareness about the potential risks and help main stakeholders to understand them in layman’s terms.

2. For better acceptance, identify stakeholders’ pain points and collaborate on a common approach between business and AppSec priorities.

3. Forecast and plan an AppSec structure with clear budgets, KPIs, and distinctly articulated benefits to the organization.

4. “Walk the talk” of your audience, showing collaborative spirit and remembering that not all stakeholders are tech-savvy.

5. Present success stories and KPI achievements to build visibility and credibility of the AppSec implementation plan.

6. Join forces with the security and technical leadership to make AppSec a “board worthy” topic.

Metrics for AppSec Success

The “data driven” approach adopted by many organizations in running is also useful to AppSec. A robust AppSec program will rely on a strong set of tools to measure outcomes in a holistic manner, incorporating various scanning metrics such as SAST, DAST, and SCA. The OWASP benchmark is a useful place to begin with when looking to test your applications. It’s also handy to determine how many applications are part of your SDLC. Measuring the time needed for remediation of application code vulnerabilities is also a great way to be transparent in the execution and the results. 

There are many metrics you can use, but here are some of the most important ones: 

1. Time required to identify and solve vulnerabilities (by category and type)

2. The average severity of vulnerabilities the organization’s system is open to

3. The probability of a threat repeating over a period of time

4. Different types of vulnerabilities found

5. Rating apps for vulnerability criticality for CWE and CVE

In many companies, the value of software security is restricted to compliance with regulatory guidelines or avoiding a data breach. Setting the right goals, listing important KPIs, and proving the value for the bottom line can get you the attention you need.

Partner, Cloud Native Build Leader, Americas IBM - IBM Consulting