Guide for an Effective Application Security program
After a decade of consulting experience in the cybersecurity space, when I take a retrospective view of the Application Security posture of various organizations I’ve had the fortune to work with, I have never come across an organization which has a truly mature Application Security program. Unfortunately, most organizations have a patchwork of activities cobbled up together, without clear metrics and roadmap to effectively scale alongside the organization’s growth.
As I pen this article to capture my perspective of an ideal Application Security program, I hope that this would serve as a valuable guide to assess an organization’s maturity and take it to the next level.
Need for Application Security
Here are key takeaways from Astra Security’s Cybersecurity Statistics:
Web application attacks contribute to 26% of breaches, ranking as the second most prevalent attack pattern.
On average, a website experiences 94 attacks daily and is visited by bots approximately 2,608 times a week.
17% of all cyber attacks target vulnerabilities in web applications.
This clearly demonstrates that even after so many years and efforts of security standardization, it is a major concern for organizations of all sizes till date. Security standards are a step in the right direction, but without holistic efforts to Effectively implement, Diligently monitor, and Continuously improve their program, the situation would worsen as organizations undergo rapid digital transformation.
Building an effective Application Security program
In this section, I put forth my framework for building a standard Application Security Program which would enable the organizational leadership to assess their efforts and identify gaps that they can address to improve their posture.
Step 1: Understand organization’s scope and objectives
Define goals & success criteria
Although goals may differ across organizations, it is important to identify key pillars around which these goals may be defined. Based on my experience, the primary focus for Application Security should be on the following aspects, which can be a decent starting point:
- Risk Management
- Data Protection
- Legal and Compliance Requirements
- Incident Response and Recovery
- Employee Training and Awareness
To define success criteria for the goals, organizations should focus on measurable outcomes. Key KPI and metrics should be clearly defined and documented. Examples of such outcomes are:
- Achieving zero critical vulnerabilities,
- Meeting all regulatory compliance requirements,
- No major security breaches over a set period.
- Decreasing trend in identified issues,
- Minimizing time to remediate vulnerabilities
- Speed and efficiency of responses to security incidents.
- Regular training completion rates
Enforce adherence to Application Inventory process
An effective application inventory process is a crucial aspect of an mature program. From my experience in cybersecurity consulting, I see primarily 2 types of inventory methods from an organization’s context:
- Separate inventory systems for application assets and other IT assets
- Centralized inventory system for all IT assets
Proposing a standard inventory approach does not work as organization-specific factors must be considered, such as structure of Application Security function and budgetary constraints. However, for an application inventory to function well in an Application Security program, these characteristics must be fulfilled in the inventory data:
- Enforcing data classification
- Specifying compliance-specific tags such as HIPAA, PCI-DSS
- Specifying business criticality
Step 2: Create Application Security standards
For an effective Application Security program, it is necessary to maintain consistency for security activities across the organization. Thus, standardizing these activities becomes a significant aspect of any application security program. Regardless of the organizational context, the following activities are common in all application security programs:
Step 3: Define & Implement Application Security workflow
An Application Security workflow captures the overall flow of activities and the interactions of various stakeholders associated with the program. Based on my experience, the fundamental approach to create such a workflow is as follows:
a. Establish security onboarding: In this stage, an application gets onboarded onto the Application security program. For this to happen, it is critical to identify the trigger points when an application is supposed to be onboarded. Knowledge of an organization’s System Development Lifecycle is important to identify these trigger points. Generally, two trigger points followed by organizations are:
- When a new application is created
- When an existing application undergoes a change
Application changes are organization-specific and extensive collaboration with application teams is required to develop a change classification scheme which would enable onboarding onto an Application Security program.
b. Implement risk profiling: In this stage, the application is classified based on its security attributes. Organizations can define risk tiers based on their ecosystem and apply it across all application security activities.
c. Define workflows for key Application Security activities: In this stage, the application undergoes Secure architecture review, threat modeling, secure code review, Software composition analysis, Dynamic application security testing, and manual penetration testing, based on various stages in the System Development Lifecycle.
d. Establish reporting of security risks: This stage involves reporting the design flaws and security vulnerabilities identified in the security activities. This involves interaction with the organization’s Risk Management and Issue tracking systems to effectively track & monitor the security risks for remediation/mitigation.
Step 4: Establish Continuous Improvement process
Monitoring the Application Security program is a significant effort, which involves deeply analyzing Application Security outcomes based on defined KPI and metrics to determine whether the program has met the desired goals. This should be done continuously to ensure that the Application security program adapts quickly to evolving security goals.
Automation is also an essential aspect of continuously improving an Application security program. Integrations of Application Security tools with ITSM tools and software engineering pipelines must be explored and implemented. Providing such integration capabilities has now become an essential requirement for an application security tool.
Step 5: Conduct Training and Awareness
Like any security program, extensive training and awareness is an essential part of an Application Security program to disseminate the information across the organization. In my view, this effort should be segregated based on the target audience as follows:
- Training programs for Application Security team to enhance delivery capabilities
- Awareness programs for other employees, such as application teams, to achieve higher compliance in Application Security goals.
By segregating the training efforts, organizations would be able to concurrently build their capabilities and take the right steps to achieve their defined goals.
Conclusion
In conclusion, if organizations follow the outlined approach diligently, they would be able to improve their Application Security posture drastically and align their Application Security efforts with the organizational growth in an effective and efficient manner.
Here are some key resources you can refer for more guidance:
