iStock_000009133360Small-300x199

CISO’s: Pre-Planning Your Application Security Program

Dec 03, 2013 By Sarah Vonnegut

Application Security is never a ‘one-and-done’ deal. It is ongoing, ever-evolving, and its’ centrality in organizations ever-growing. As technology’s scope and complexity increases, the emphasis on application security needs to grow as well; No matter which stage you are in the maturity model, application security is a constant in your approach.

Be very wary of jumping to the questions ‘so what do I need to buy’ and `how much is this going to cost me (and my CEO/CFO)’. You may not have an easy road ahead, but the key to creating a cost-effective and comprehensive security program is by starting out with a solid foundation of where your application security program has been and an understanding of where you’d like it to head.

The emerging and ever-evolving role of the CISO and the technological landscape has rendered many past programs irrelevant. As more changes in the realm of security – moving services to the cloud, working in agile environments, implementing a DevOps team, etc. – these three steps, based on OWASP’s CISO AppSec Guide for designing an Application Security Program,  will help CISO’s in the pre-planning stages of their application security program.

1. Map It Out

The first step towards building a security strategy is connecting the dots between security goals and business priorities. Being in touch with your organizations’ business goals is the basis for a grounded, realistic program and the best approach to eventually communicating your program as a value proposition.

Designing your strategy to be flexible and actionable is essential to its longevity. Plans will be thrown aside if they’re too grand or vise-versa, too structured. Too many critical, moving parts are at risk if the plan isn’t made to be flexible. An eye to adaptability and simplicity at every level will help you build a measurable and long-term program, and tying security goals to business priorities will help you attain that.

2. Assess Where You Are & Where You Want To Go

Where are you now and where do you intend to go in your security strategy? Start building your future by forming a deep understanding of your past and current maturity models and using them to shape the next one. In this way, your program will have a distinct starting point – today.

How mature is your security program and how do you see it advancing in the future? You may have many departments whose responsibilities and security needs differ and overlap; Pinpoint the weaknesses and strengths in your current strategy and start by assessing the security models in each department.

Do you have regulatory requirements and are your current practices sufficient? Have you adopted security into your Software Development Life Cycle (SDLC)? These are areas to assess by utilizing interviews, surveys, and meetings to help you frame your approach.

Identify the gaps and decide what you would need to secure them, and create a vision of mitigating risks with the goal of eliminating threats in a dynamic organization.

3. Establish an Obtainable, Rational Target State to Achieve

At this point, you know where your program stands and have some idea of the maturity level that you wish the program to attain. Now it’s time to sift through all the data you’ve collected and create an obtainable target state using your assessment.

Be true to your organization when creating your target state. Don’t shoot for the stars with lofty goals there’s no possibility of reaching. Your target state needs to be measurable, strategic and within your organizations constraints such as budget and time. You don’t need to be at the peak maturity stage in your program, because it’s just not feasible for everyone.

The Next Step: Communicating Your AppSec Program Strategy To Upper Management

As a CISO, you have one final step to go before you can take action and finalize your program – communicating them to your CEO. By using these starting points as a map for your strategy, you’ll be able to communicate clear points and have an easier time in aligning expectations and getting support.

The phrase “knowing your audience” applies well to how you communicate your program to the higher powers. Putting your strategy in business terms and stressing that while the program may not be a method of profit, it is certainly a safeguard against substantial losses will allow you to communicate the strategy’s worth in a way they will easily be able to understand.

Read more here:

CISO AppSec Guide: Application Security Program

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.