Blogs

In the ever-evolving landscape of Application Security (AppSec), the term “shift left” has become somewhat of a mantra. This concept implies that the onus of writing secure code is progressively shifting towards software engineers. Consequently, a myriad of AppSec tools are being integrated into the engineers’ build processes, subtly altering the way they construct their code. But what if we could take a slightly divergent approach to this “shift left” movement?

Your number one priority in building a new application? Getting it into the hands of potential customers as fast as possible. Understood, but what are the risks of this practice? Your Application Security (AppSec) is an afterthought, and the risk exposure of your company is unknown. Now, I am not here to judge this approach, but rather applaud you to want to address the issue. This article provides you with a method to determine how much time (=$$) is needed to address potential vulnerabilities in your application.

Albert Einstein once said, “Order is for the stupid, only the genius rules the chaos”. But, if you are like me, jumping from one meeting to the next, you might lose track of where you have written down what. As a result, you have to search through piles of documents to look for that particular piece of information. Anything really, but I think of email address, phone number, DOB, etc. Regardless of what you’re looking for, the search eats up lots of your valuable time.

In my previous article, I discussed an AppSec Program and why you should have one. In this article, I will focus on the minimum number of components an AppSec Program should consist of and an easy method to measure its maturity level. During my 14+ years working in the AppSec industry, I have helped numerous fortune 500 companies build and mature their AppSec Programs. When looking at all these programs, there are 20 common components they all share.

Reducing the risk exposure of your company comes down to one key thing: increasing the security posture of your application portfolio. To accomplish this, you need a proper application security (AppSec) program. But what, exactly, is an AppSec program and what are its major components? To help you get started, or to mature the program you already have in place, read on for some helpful clarification and directions. First, let’s address your AppSec policy, since this is what every well-designed AppSec program is based on.

As we can read in various research papers, exploitable vulnerabilities in applications remain a top cause of external breaches. Due to the pandemic, applications often became the only way to engage with customers, which has exacerbated the problem. To increase the security posture of your application portfolio you should have a robust Application Security (AppSec) program in place. Making sure everybody in your organization knows what needs to be done, the basis of your AppSec Program should be an easy-to-understand and accessible AppSec Policy.