AppSecOps: An Astute Business Approach to Security

By 
Munish Gupta
April 26, 2022

Organizational digital transformation truly accelerated in 2020 with the onset of COVID-19. In fact, the pandemic pushed it ahead by several years according to a global McKinsey survey. However, security is still often an afterthought as we rush headlong into the future to become more agile, flexible, and scalable.

Companies who are already following a DevOps approach will need to pay more attention to vulnerabilities due to their extensive use of open source apps. “More open source available means you can go faster, but there are often more of the vulnerabilities in the open source rather than the code that you have written,” explains Chris Wysopal of Veracode.

“DevSecOps is by far the most transformative thing an application security team can do to make themselves valuable to the organization.”Doug Dooley, COO, Data Theorem

More companies are increasingly devoting budgets to toughen up cybersecurity but they balk when it comes to AppSecOps, which is essentially application security with a DevSecOps approach. A common belief is that implementing AppSecOps will slow down development teams and hamper innovation and agility.

The Business Case for AppSecOps

Cybersecurity breaches were once mostly the purview of IT departments. But a slew of security breaches in recent times, Log4 and Spring4Shell being the latest, have underlined the need for an integrated approach to security. Company leaders are now taking notice. 

Organizations are gradually beginning to see that “shift left” is not just a smart security move, but also a smart business one.

How’s that?

“In the world of application security, our primary goal is this: Securing software applications at the lowest cost.”  — The Purple Book, Chapter 7

Here are 4 ways how baking an AppSecOps approach into the overall business strategy helps an organization:

Automation to Save Time and Effort

You know how companies use CRMs to eliminate manual effort and repetitive tasks? Automation in AppSecOps is like that. When AppSec and SOC teams are able to automate small security monitoring tasks and focus on bigger, more complex issues, you’re saving time, increasing value, and improving threat intelligence. Automatically.

More Stable Apps, More Trust

An AppSecOps-first approach enmeshes DevSecOps principles into application development. With security being built in right at the beginning of the coding process, apps naturally become more secure. Traceability is in-built, increasing accountability, and this spurs developers to be doubly cautious about writing secure code. The end result? A stronger, stabler product, which in turn builds trust among customers.

A Secure By Design Approach

Putting the ‘ops’ in AppSec speeds up patch management, remediates potential vulnerabilities, and gives you a secure-by-design framework, which covers the entire product lifecycle end-to-end, right from the beginning. “Those who fail to do so run a myriad of risks, from financial ruin to structural chaos, culminating in the often-irreparable collapse of trust,” notes Ernst & Young.

Better to Prevent Rather Than React

Most often, security teams race to fix vulnerabilities once they are detected. But isn’t it better to prevent them from cropping up in the first place? Incorporating automated testing processes enables security teams to identify and prevent vulnerabilities early in the development cycle. This reduces your technological debt and financial losses - software failures cost companies about US$ 1.56 trillion according to this report.

Now, you might ask, “if this is so good, why do organizations hesitate?”

A few things make AppSecOps slightly challenging to implement. Traditional AppSec tools are not geared for the dimensions that DevSecOps addresses. Complying with the AppSecOps approach also requires developers to have DevOps expertise which is at times difficult to achieve. Tools, training, and implementing processes require much time and money.

What is the Purple Book Community?

The challenges that AppSec with a DevSecOps approach pose can only be solved by initiating a cultural and mindset shift. People need to be enabled to adopt DevSecOps in its true spirit. This is where the idea of the Purple Book Community came about. 

The Purple Book Community comprises top security thought leaders and practitioners. Initially, it brought together 29 industry experts together to write a comprehensive book about DevSecOps, AppSec, and product security concerns, best practices, and case studies. This book will be offered free of charge for the benefit of the broader community. The community is composed of seasoned security executives that understand the need to accelerate product innovation without compromising security posture.

How can the Purple Book Community help?

The book, as well as any other content that the community creates, provides actionable guidelines and playbooks to show how businesses can steadily add robust layers of security by adopting DevSecOps. It helps companies accelerate their processes by learning from practitioners who have been there and done that. The content of the book will be kept current by leaders who will write blogs and publish podcasts regularly. 

Cybersecurity challenges are evolving every day to become more sophisticated. It’s important to have equally sophisticated experts on your side to decode the threats and keep your business safe. And the Purple Book Community is built to do just that.

The Purple Book Community acts as your support system and guide as you figure out your business framework and implement those key processes to fulfill the promises of DevSecOps.

Participate in the Community!

The community meets twice a month to talk about the latest developments in the industry, network with each other, share best practices, decode major attacks, and build lasting relationships. To see the latest updates and participate in events, check out the Community’s LinkedIn page.

Munish Gupta
Global Practice Head of Enterprise Security Architecture, Cyber Resilience and Cloud Security Advisory, Wipro