In my previous article, I discussed an AppSec Program and why you should have one. In this article, I will focus on the minimum number of components an AppSec Program should consist of and an easy method to measure its maturity level.
During my 14+ years working in the AppSec industry, I have helped numerous fortune 500 companies build and mature their AppSec Programs. When looking at all these programs, there are 20 common components they all share. I like to refer to the collection, or combination, of these 20 components as the Minimum AppSec Program (MAP).
For ease of understanding and consumption, I have divided these 20 components into four categories: Governance, Construction, Knowledge, and Operations (see figure 1 above).
Those who have experience assessing the maturity level of an AppSec Program might see some similarities with OpenSAMM or BSIMM. These are what I would like to call heavy-weight methodologies. The challenge with these methodologies is that you need to have a lot of knowledge of- and experience with- AppSec to use and understand them. Additionally, doing a maturity level assessment with either methodology can take weeks or even months! Unfortunately, you may not have the luxury of that amount of time. You need an AppSec Program now! Using my MAP, you can do a maturity assessment in just a few hours. Let me explain.
First, you need to sit in front of the right people for the job: the person responsible for AppSec (e.g. CISO) and the person in charge of AppDev (e.g. VP of Engineering). For a maturity assessment, I like to ask them five questions per component. These questions and predetermined answers are in layman’s terms. Hence, they do not require a lot of specific AppSec knowledge to be able to understand and use them. Every question has five answers, rated from non-existing (0) to fully implemented (4). By using this Q & A methodology, it is relatively easy to determine the current maturity level of the AppSec Program and where you need to focus your efforts next: the desired level of your entire AppSec Program (see figure 2 below for an example of some possible assessment results).
For the sake of this article, I will not go over each question and answer. We can discuss these in a personal session. However, I like to help you get at least a minimal understanding of where you are at with your MAP. So I have listed the 20 components and their meaning below.
I trust this article has been of help to you. If you are interested in discussing your AppSec Program or want to perform a maturity assessment using my method, please connect with me. See my contact details below.
Percy Rotteveel - Cell: (650) 421-3631 - eMail percy@rotteveel.ca
Article: https://www.linkedin.com/pulse/how-start-assess-appsec-program-percy-rotteveel/