4 Steps for CISOs to Improve Their Organisation’s Application Security Program

By : Ian Hall | Monday, October 26 2020 - 11:00 IWST

Ian Hall - Asia-Pacific Client Services Manager, at Synopsys Software Integrity Group
Ian Hall - Asia-Pacific Client Services Manager, at Synopsys Software Integrity Group

INDUSTRY.co.id - Synopsys recently published its annual Building Security In Maturity Model (BSIMM) report, created to help organisations plan, execute, measure, and improve their software security initiatives. In its 11th iteration, BSIMM is a helpful guide for CISOs and security executives to compare data against their industry peers and pinpoint areas of specific need in their own application security (AppSec) program. This enables businesses to develop, improve, and mature their programs using BSIMM as a benchmark.

The following 4 steps provide a good foundation or starting point:

1. Identify Maturity Phase

BSIMM defines three maturity phases of an AppSec program. Identifying whether an organisation is emerging, maturing, or optimising is a necessary foundation from which to build. Executives should review the common markers to determine where they currently stand.

Emerging: An organisation starting from scratch, or formalising current adhoc security activities. For this phase, the initial strategy may be already defined, foundational activities have been implemented, and a rough roadmap might be already developed. However, there are restraints like budget, lack of resources and talent, and it is projected that 12 - 24 months are needed for evolution.

Maturing: An organisation with an existing or emerging AppSec program that is working on scaling, streamlining, and meeting executive expectations. Key activities may include working to apply existing activities to a greater percentage of technology stacks, departments, or the software portfolio. Security leadership might add fewer activities, while increasing depth, breadth, and cost-effectiveness of current activities.

Optimising: An organisation that is fine-tuning their existing AppSec program. Security management in this phase, has a clear view into operation expectations and associated metrics. There should also be seamless adaptation to technology change drivers. In addition, risk management and business value are clearly demonstrated as differentiators. At this point, AppSec leaders may be undergoing personal growth from technology executive to business enabler.

2. Embrace DevSecOps

CISOs and security teams must address the role of security within a DevOps environment, which means embracing DevSecOps. Focus should be placed on promoting security self-service for the development team, including automation in the secure software development lifecycle (SSDLC), and removing points of friction. Speed, agility, and automation are key considerations as security must keep up with the pace of DevOps.

3. Implement Key Activities

The activities form the backbone of the BSIMM. Each year’s report identifies what activities the various organisations in the data pool are performing. The activities are then rated based on frequency. This approach gives CISOs a snapshot into the most widely used activities of their peers.

BSIMM11 found several activities that grew explosively in the past year. Security executives should consider these activities as they play a key role in many successful AppSec programs.

For example, the chart above shows the use of application containers (SE3.4; now SE2.5) on a rise, from 0 in BSIMM7 (Year 2016) to 31 in 2020. Organisations are using application containers to make deployment easier and at the same time, decrease costs. The increase in the use of orchestration for containers and virtualised environments (SE3.5) also ensures workloads meet security requirements. It is also interesting to note businesses are ramping up their efforts to ensure cloud security basics (SE3.7; now SE2.6) are in place to keep pace with the overall increase in adoption of cloud-based deployments.

4. Define Roles and Responsibilities

Identifying individuals and their roles in an AppSec program reduces confusion while empowering teams to be proactive and innovative. CISOs should review the roles of teams within the AppSec program to determine if they can create clearer boundaries and expectations in their own organisations. They are categorised into 4 main groups:

Executive leadership: The most successful AppSec initiatives are those with executive sponsorship and oversight. Programs gain acceptance and support throughout organisations when they have executive buy-in. Having a single person (typically the CISO) in charge of security decisions allows the program to move forward without bottlenecks.

Application security team: Virtually all 130 organisations observed in BSIMM11 have an established AppSec team in place, though their structure and the names they go by vary greatly. Without this team, organisations would find it impossible to be consistent in their AppSec efforts. Executives should prioritise and closely align with this team to help drive and deliver security goals.

Security champions: Security champions are employees outside the security team who help raise awareness and garner support of AppSec practices among different members of the organisation. Executives should identify existing security champions within their organisations and foster relationships with potential champion recruits who can help ensure compliance with AppSec best practices throughout the SSDLC.

Everyone else: All employees play an indirect role in security. They can spread awareness, understanding and support for security practices and development. Executives should encourage education, inclusion and awareness across the entire organisation to give their AppSec programs the best chance to succeed.

Regardless of whether you are a new CISO, someone in an emerging organisation, or a CISO overseeing existing programs, there are checklists to help you along. While addressing the 4 activities above, the CISO or security executive should consider diving into the full BSIMM11 report, which contains checklists to jumpstart and develop your AppSec program, and much greater insight into the activities, practice areas, and domains of the most successful AppSec programs operating today.

News Comment

Today's Industry

COVID-19 Emergency Hospital in Kemayoran Athletes Village (Photo by: PR of Ministry of Health)

Kamis, 13 Mei 2021 - 06:10 WIB

Gov’t Completes Incentive Payment for Volunteers at Kemayoran Athletes Village

Ministry of Health, on 6-10 May 2021, has completed incentive payment of December 2020 for 1,613 volunteers working at COVID-19 Emergency Hospital in Kemayoran Athletes Village amounting to…

Vice President Ma’ruf Amin chairs a virtual meeting of the Regional Autonomy Advisory Council (DPOD), Tuesday (11/05). Photo by: BPMI of Vice Presidential Secretariat

Kamis, 13 Mei 2021 - 05:00 WIB

Special Allocation Fund during Pandemic Must be Managed in Accountable Manner: VP

The use of Special Allocation Fund (DAK) during the COVID-19 pandemic must take into account the accountability principle, Vice President Ma’ruf Amin has said.

Minister of Religious Affairs Yaqut Cholil Qoumas, Chairperson of the Indonesia Ulema Council (MUI) KH Abdullah Jaidi, and Deputy Head of Commission VIII Ace H Syadzili

Kamis, 13 Mei 2021 - 03:50 WIB

Eid al-Fitr Falls on Thursday, Gov’t Announces

The Government has announced that the first day of Shawwal 1442 Hijri, which marks the Eid al-Fitr 1442 Hijri celebration, falls on Thursday, 13 May 2021.

Minister of Manpower Ida Fauziyah. (Photo by: BPMI Documentation)

Kamis, 13 Mei 2021 - 02:45 WIB

Manpower Minister: Companies Must Protect Loading-Unloading Workers through Social Security Programs

Minister of Manpower Ida Fauziyah told companies to protect their loading-unloading workers (TKBM) through social security program for workers.

Minister of Transportation Budi Karya Sumadi inspected transportation service during the mudik ban period (11/05/2021). (Photo by: PR of Ministry of Transportation)

Kamis, 13 Mei 2021 - 01:39 WIB

Logistics Transport Movement During Mudik Ban Jumps by 70%

Movement of logistics transport via sea toll road has dramatically increased by about 70 percent during the period of mudik (Eid homecoming period) ban, according to Minister of Transportation…