Reducing the risk exposure of your company comes down to one key thing: increasing the security posture of your application portfolio. To accomplish this, you need a proper application security (AppSec) program. But what, exactly, is an AppSec program and what are its major components? To help you get started, or to mature the program you already have in place, read on for some helpful clarification and directions.

First, let’s address your AppSec policy, since this is what every well-designed AppSec program is based on. This policy covers the do’s and don’ts of increasing your overall security posture. In short, it addresses the “what” of making your applications more secure. The “how” is addressed in your AppSec program.

For example, your policy speaks about the definition of critical vulnerabilities and stresses that applications must be “vulnerability free” before being deployed into production. Your program, on the other hand, speaks about how to find those critical vulnerabilities and the construct of a security gate between the quality assurance (QA) environment and the production (PROD) environment.

An AppSec program covers three perspectives: People, Process, and Technology. To make it easier to remember, some people call it the three ‘Ps’: People, Process, and Product.

Each of these perspectives focuses on a different view of the program:

• People: Who is doing what and why?
• Process: How and when will it be done?
• Technology: Where will it take place?

There are various frameworks that can help you create or mature your program—for example, NIST SP 800-53r5, ISO 27K, and OWASP SAMM. But, especially if you’re starting from scratch, I suggest starting with the basics. And even if you do use a framework, it helps to truly understand these basics in order to reduce your overall risk exposure.

The following table lists the major components—or basics—of an AppSec program.

If you are left with questions or would like to discuss how I can help you with your AppSec Program, feel free to connect with me. See my contact details below.

Percy Rotteveel - Cell: (650) 421-3631 - eMail percy@rotteveel.ca

Article: https://www.linkedin.com/pulse/having-appsec-program-absolute-must-what-really-percy-rotteveel