Becoming Optimus Prime Within Your AppSec Initiatives

When I was a child, I didn’t dream of becoming a legendary football player or a rock star. My dream was to become a Transformer: specifically Optimus Prime. I am sure some of you in the audience shared the same dream. As you can probably guess, unfortunately, this dream did not come true. But what I “am” going to share with you today is how to become something even better than Optimus Prime. We’re going to embark on a journey that will make you nothing less than a Transformer within your own organization.

The Seven Steps to Success

Let me take you through the seven simple steps that will help you become an AppSec Transformer.

1. First and foremost, you will require Executive Sponsorship. Senior Management buy-in is essential to secure resources and funds for your AppSec program.
2. Once you get management approval, it’s time to define the goals and set rules for specific AppSec policies. For example, you may decide to focus primarily on the OWASP Top 10 to start your security program.
3. Remember with great power comes great responsibility. You and your organization must embrace software security solutions that are fully capable of operating in a highly-automated fashion, within the development “tooling” in use, and at scale. ​
4. This is the perfect place to clear up a common misconception. When it comes to application security testing (AST) solutions, in order to mitigate the risk of software exposure, you need to identify every vulnerability throughout your software development life cycle (SDLC). It’s all about multiple layers, and multiple touchpoints. While it may seem obvious that no single AST solution can fully protect your applications, you’ll need to make use of different tools and solutions to achieve the desired results.
5. Once the vulnerabilities have been identified, you’ll need a solution that can correlate the results across various AST products to help further “automate the improvement” of the results quality. For example, a vulnerability that is found by both SAST and IAST means that it is probably a true positive. (Additional synergy can found between SAST and SCA, in addition to SCA and IAST). ​
6. Once you’ve achieved your AST goals, it’s time to move to the most important next step—vulnerability remediation. Focus on fixing what matters most. This is achieved by fine tuning remediation efforts via the use of advance methods like machine learning, AI, automated prioritization, and policy tuning. The end result, of course, is to simplify the job of both developers and security professionals, delivering a high level of automation at great scale.​
7. Finally, you want to make sure you can easily track and improve the software security in your organization. By creating specific KPIs based on security status, business-specific application status, project-specific security trends, aging, burn down rates, density and top vulnerabilities views, you can make sure you reduce your software exposure risk to a minimum.

Time to Move to a New Era

You need to move beyond the barriers and limitations of traditional, gated software security approaches, and move to a new era where your organization has a full visibility and control of their software exposure, at any stage of their development life cycle. Rather than secure coding being a burden for developers, defeating software exposure requires integrating software security solutions into the way businesses and developers work. If we can accomplish that, we can give developers the information they need, when they need it, within the tools they use every day. As we realize through the years, not all dreams come true. I will not become Optimus Prime. But embedding security throughout your software development life cycle will allow you to fulfill a professional dream, and become the Optimus Prime of your organization's AppSec program. To learn more about how to instill security into your CI/CD pipeline using Checkmarx Software Security Platform, click here.