CISO Perspective: Successful Secure Application Development
Organizations must focus on many areas within the business to ensure corporate data and assets are secure. Even though there are competing priorities, application security must be an important component of a successful information risk management program. This is even more important now due to the growing trend for applications to reside outside the corporate perimeter. Given the potential impact to business delivery timelines, it is essential that information security practitioners receive and maintain executive management and key stakeholder support.
It is also important that the program be aligned with the goals of the business and focused on appropriate management of risk. There is no “one size fits all” application security program, but there are key activities for ensuring that your organization’s application security is right-sized for your company.
Here are five tips that can help you build a successful application security program.
- Establish a cross-functional team to define the state of software application security and any opportunities to improve. Be sure that there are representatives involved from the various software application development teams, including non-IT stakeholders who may be developing software with third parties and leveraging cloud services for managing critical company systems and data.
- Identify and evaluate the options for addressing application security concerns as a team. For example, when do you leverage source code analyzers, independent pen testing services, etc.? Most likely a combination of services will be utilized based on a tiered risk model. Input from the software development team and key stakeholders is necessary for the organization to embrace the new process and the associated changes to the development life cycle. Also consider that companies don’t generally like to pay more for testing than creating or hosting the software, unless the risks are clearly understood.
- Document the application security program and ensure that the process is understandable and sustainable. Be sure that stakeholders understand the terminology and methodology to avoid gray areas. For example, if the methodology includes sampling for defects, be sure that individuals don’t expect all such instances of a vulnerability to be identified during testing.
- Develop training and awareness materials for developers to refer to as they create applications. This includes identifying any patterns or APIs that are commonly used for authentication, privacy, fraud detection, etc. To be cost-effective you may also want to leverage training programs that are available on the Internet or via subscription. As the program matures, consider whether you should test developer understanding and be sure to celebrate success when applications launch with zero defects. Metrics are important to show progress and business value.
- Obtain executive management support. Inevitably, someone will attempt to promote an application to production with a high-risk issue. The information security program must have support for assessing the risk to the company, especially if company policy is to deny the launch. If executives do not support the application security program or see its value, it will likely fail. The tone at the top is vital to ensuring that there is appropriate ongoing funding, including security tools and staff training.
In summary, by focusing the application security program on business risk and benefits, organizations will reduce direct attacks to systems and data via insecure code. A pragmatic, risk-based application security program will help highlight the value of information security services to the organization. With executive management and stakeholder support, the information security practitioner can stop playing judge, jury and bad cop by him or herself.