Back to Feed

How to Build a Successful AppSec Program

Kunal Bhattacharya


July 9, 2024

Joining a new organization as an AppSec leader with decision-making authority and a budget presents a unique challenge: building a robust Application Security Program. While partner and stakeholder engagement is crucial, this article will focus on the internal aspects of the task.

For seasoned professionals, this process raises numerous questions. What current AppSec capabilities exist? What are the critical assets that require protection? How has the organization's security posture evolved over time? What is the security skill level of the engineering team? Understanding these factors is essential before diving into tool selection.

The worst approach an AppSec leader can take is choosing a tool without grasping the context. It's vital first to understand the scope of influence, the assets to be protected, the tech stack, and the maturity level of the organization’s Software Development Lifecycle (SDLC).

Assessing SDLC Maturity

Several frameworks, such as BSIMM and OpenSAMM, can help evaluate SDLC maturity. If time and budget allow, conducting a maturity assessment—either self-assessed or externally—is a recommended starting point. This assessment reveals tooling gaps and clarifies the organization’s SDLC maturity. Maturity levels can generally be categorized as follows:

  • Level 1: Initial - Ad-hoc and informal processes with limited documentation and controls.
  • Level 2: Repeatable - Basic processes are defined and mostly repeatable, though inconsistencies exist.
  • Level 3: Defined - Formalized, documented processes with a focus on quality and consistency.
  • Level 4: Managed - Standardized metrics monitor process effectiveness, leading to continuous improvement.
  • Level 5: Optimizing - Continuous improvement is a core principle, focusing on optimizing processes for efficiency and effectiveness.

Evaluating Skills and Tooling Gaps

Once the maturity level is established, evaluate the team’s skills and existing tools. Create a prioritized list of gaps in skill sets and tooling (e.g., SAST, SCA, pentesting). Prioritize immediate challenges while keeping long-term goals in mind. Quick wins are essential to demonstrate progress, but they must align strategically with building a robust AppSec program.

For organizations at Level 1, processes are often reactive, responding to vulnerabilities only after they’ve been exploited. This is where the concept of "Shift Left" becomes crucial. By integrating security controls early in the development process, teams can identify and resolve issues much sooner, significantly reducing costs and risks.

According to research by the Ponemon Institute, fixing vulnerabilities in production is costlier than addressing them during development. This cost difference highlights the importance of incorporating tools like Software Composition Analysis (SCA) and Static Application Security Testing (SAST).

The Role of SCA and SAST Tools

SCA Tools: These tools analyze open-source components within your codebase, identifying known vulnerabilities in third-party libraries. By catching these issues early, organizations can ensure that they aren’t introducing risks through dependencies, which is especially critical given the widespread use of open-source software today.

SAST Tools: These tools analyze source code or binaries to detect security vulnerabilities early in the software development lifecycle (SDLC). By providing real-time feedback to developers, SAST tools help ensure that secure coding practices are followed, reducing the likelihood of vulnerabilities being introduced in the first place.

Implementing SCA and SAST tools helps teams build security into the development process.

However, if the maturity level is low, vulnerable code is likely already being deployed. In such cases, it's crucial to understand the security of the existing production landscape.Implementing penetration testing for live products can provide valuable insights. While fixing issues in live products can be costly, it is often necessary to avoid regulatory and legal repercussions. Additionally, this approach helps identify prevalent vulnerabilities, offering visibility into the organization's threat landscape. For instance, if 50% of issues detected during penetration testing are related to XSS or SQL injection, prioritizing input sanitization and output encoding can yield significant returns.

Fostering Collaboration Between Security and Development

A crucial aspect of a successful Application Security Program is the relationship between security and development teams. It’s essential to create a collaborative environment where both teams work together rather than against each other. This collaboration can be fostered through:

Regular Communication: Establish open channels for ongoing discussions about security concerns and best practices.

Shared Goals: Align security and development objectives to ensure both teams are working towards common outcomes.

Integrated Workflows: Incorporate security checks seamlessly into the development process, minimizing disruptions and fostering cooperation.

Choosing the Right Tools: It's important to select SCA and SAST tools that facilitate collaboration. Tools that flood developers with too many vulnerabilities without context can hinder productivity and lead to frustration. Instead, opt for tools that prioritize issues, provide clear context, and offer actionable remediation steps like Backslash This ensures that developers receive relevant information, helping them focus on critical vulnerabilities and fostering a cooperative environment.

Building a positive relationship ensures that security is seen as an enabler, not an obstacle, leading to more effective and efficient development practices.

Metrics and Key Performance Indicators (KPIs)

To measure the success of the Application Security Program, it's important to track relevant metrics and KPIs. These can include:

Number of Vulnerabilities Detected: Track vulnerabilities identified by SCA and SAST tools over time.

Time to Remediate: Measure the time taken to resolve identified vulnerabilities.

Security Defects per Release: Assess the number of security-related defects identified in each software release.

These metrics provide valuable insights into the effectiveness of the security program and help identify areas for improvement.

In summary, for organizations looking to move beyond Level 1 maturity, adopting Shift Left practices with SCA and SAST tools, fostering collaboration between security and development, and tracking key metrics are foundational steps toward building a more secure and cost-effective development process.

Building the Roadmap

Identifying these low-hanging fruits helps set the stage for developing the Application Security Program roadmap—a journey that may span 2-3 years, depending on the initial maturity state. The roadmap should detail the rationale behind each step, including costs related to personnel and tools, whether to buy or build.

As capabilities are developed and checked off, it’s important to regularly reassess and adjust the roadmap. Organizations are dynamic; priorities shift, and so must the security strategy. Continuous adaptation ensures the program remains aligned with organizational needs.

In conclusion, building an Application Security Program is a strategic endeavor that requires careful planning and execution. By assessing current capabilities, understanding gaps, and developing a roadmap with both short- and long-term goals, AppSec leaders can effectively safeguard their organizations against evolving threats.