4 Steps for CISOs to Improve Their Organisation’s Application Security Program

By : Ian Hall | Monday, October 26 2020 - 11:00 IWST

Ian Hall - Asia-Pacific Client Services Manager, at Synopsys Software Integrity Group
Ian Hall - Asia-Pacific Client Services Manager, at Synopsys Software Integrity Group

INDUSTRY.co.id - Synopsys recently published its annual Building Security In Maturity Model (BSIMM) report, created to help organisations plan, execute, measure, and improve their software security initiatives. In its 11th iteration, BSIMM is a helpful guide for CISOs and security executives to compare data against their industry peers and pinpoint areas of specific need in their own application security (AppSec) program. This enables businesses to develop, improve, and mature their programs using BSIMM as a benchmark.

The following 4 steps provide a good foundation or starting point:

1. Identify Maturity Phase

BSIMM defines three maturity phases of an AppSec program. Identifying whether an organisation is emerging, maturing, or optimising is a necessary foundation from which to build. Executives should review the common markers to determine where they currently stand.

Emerging: An organisation starting from scratch, or formalising current adhoc security activities. For this phase, the initial strategy may be already defined, foundational activities have been implemented, and a rough roadmap might be already developed. However, there are restraints like budget, lack of resources and talent, and it is projected that 12 - 24 months are needed for evolution.

Maturing: An organisation with an existing or emerging AppSec program that is working on scaling, streamlining, and meeting executive expectations. Key activities may include working to apply existing activities to a greater percentage of technology stacks, departments, or the software portfolio. Security leadership might add fewer activities, while increasing depth, breadth, and cost-effectiveness of current activities.

Optimising: An organisation that is fine-tuning their existing AppSec program. Security management in this phase, has a clear view into operation expectations and associated metrics. There should also be seamless adaptation to technology change drivers. In addition, risk management and business value are clearly demonstrated as differentiators. At this point, AppSec leaders may be undergoing personal growth from technology executive to business enabler.

2. Embrace DevSecOps

CISOs and security teams must address the role of security within a DevOps environment, which means embracing DevSecOps. Focus should be placed on promoting security self-service for the development team, including automation in the secure software development lifecycle (SSDLC), and removing points of friction. Speed, agility, and automation are key considerations as security must keep up with the pace of DevOps.

3. Implement Key Activities

The activities form the backbone of the BSIMM. Each year’s report identifies what activities the various organisations in the data pool are performing. The activities are then rated based on frequency. This approach gives CISOs a snapshot into the most widely used activities of their peers.

BSIMM11 found several activities that grew explosively in the past year. Security executives should consider these activities as they play a key role in many successful AppSec programs.

For example, the chart above shows the use of application containers (SE3.4; now SE2.5) on a rise, from 0 in BSIMM7 (Year 2016) to 31 in 2020. Organisations are using application containers to make deployment easier and at the same time, decrease costs. The increase in the use of orchestration for containers and virtualised environments (SE3.5) also ensures workloads meet security requirements. It is also interesting to note businesses are ramping up their efforts to ensure cloud security basics (SE3.7; now SE2.6) are in place to keep pace with the overall increase in adoption of cloud-based deployments.

4. Define Roles and Responsibilities

Identifying individuals and their roles in an AppSec program reduces confusion while empowering teams to be proactive and innovative. CISOs should review the roles of teams within the AppSec program to determine if they can create clearer boundaries and expectations in their own organisations. They are categorised into 4 main groups:

Executive leadership: The most successful AppSec initiatives are those with executive sponsorship and oversight. Programs gain acceptance and support throughout organisations when they have executive buy-in. Having a single person (typically the CISO) in charge of security decisions allows the program to move forward without bottlenecks.

Application security team: Virtually all 130 organisations observed in BSIMM11 have an established AppSec team in place, though their structure and the names they go by vary greatly. Without this team, organisations would find it impossible to be consistent in their AppSec efforts. Executives should prioritise and closely align with this team to help drive and deliver security goals.

Security champions: Security champions are employees outside the security team who help raise awareness and garner support of AppSec practices among different members of the organisation. Executives should identify existing security champions within their organisations and foster relationships with potential champion recruits who can help ensure compliance with AppSec best practices throughout the SSDLC.

Everyone else: All employees play an indirect role in security. They can spread awareness, understanding and support for security practices and development. Executives should encourage education, inclusion and awareness across the entire organisation to give their AppSec programs the best chance to succeed.

Regardless of whether you are a new CISO, someone in an emerging organisation, or a CISO overseeing existing programs, there are checklists to help you along. While addressing the 4 activities above, the CISO or security executive should consider diving into the full BSIMM11 report, which contains checklists to jumpstart and develop your AppSec program, and much greater insight into the activities, practice areas, and domains of the most successful AppSec programs operating today.

News Comment

Today's Industry

Ilustration Hackers (Photo by Microwire.info)

Jumat, 30 Oktober 2020 - 11:20 WIB

Organisations Paid Hackers US$23.5 Million for These 10 Vulnerabilities in One Year

HackerOne report reveals cross-site scripting, improper access control, and information disclosure top list of most common and impactful vulnerabilities.

Clean Earth Technologies (CET)

Jumat, 30 Oktober 2020 - 10:30 WIB

Clean Earth Technologies’ New Class Of Polymers Invented By Associate Professor, Justin Chalker, Receives Australian Pm’s New Innovator Award

Associate Professor Justin Chalker has invented a novel class of polymers synthesised directly from elemental sulphur which is a waste by-product of the petrochemical industry and renewable…

SMILE to Empower Smallholders

Kamis, 29 Oktober 2020 - 08:35 WIB

Kao Corporation, Apical & Asian Agri Join Hands to Empower Smallholders with SMILE Program

SMILE or the SMallholder Inclusion for better Livelihood & Empowerment program to help independent oil palm smallholders in Indonesia improve their yields, acquire international certification,…

Industrial Area Ilustration

Rabu, 28 Oktober 2020 - 08:40 WIB

CFLD Develop a Strategic Industrial Area which is Supported by Seven New Infrastructures

Segye ASEAN Forum 2020 which is a series of Indonesian and Korean Manufacturing Industry Partnership forum events held, was attended virtually by more than 500 executives from well-known manufacturing…

Hilton – Asia Pacific (Photo by Hilton Asia Pacific - Posts | Facebook)

Selasa, 27 Oktober 2020 - 15:40 WIB

Waldorf Astoria to Debut in Japan with Milestone Signing In Tokyo

Set to open in 2026, Waldorf Astoria Tokyo Nihonbashi to Offer Timeless Luxury and Unrivaled Service in Japan’s Cultural Capital.