What is the maturity level of your AppSec program?

By : By: Taylor Armerding, Senior Security Advocate, Synopsys Software Integrity Group | Friday, April 15 2022 - 20:03 IWST

Taylor Armerding, Software Security Expert at Synopsys Software Integrity Group (Photo by Linkedin)
Taylor Armerding, Software Security Expert at Synopsys Software Integrity Group (Photo by Linkedin)

INDUSTRY.co.id - SINGAPORE – Any organisation that wants to secure its software should make maturity of its AppSec program its holy grail. Maturity means making security the first thought, not an afterthought.

It means embedding security into software throughout the development life cycle, not trying to patch it at the last minute before production.

Because getting the desired results—building trust into software—doesn’t happen by accident. As a recent analysis by Forrester Research put it in a white paper titled “Gauge the Maturity of Your Product Security Program,” maturity requires more than simply embedding security tooling or deploying application protections.

To get to a maturity level where product security is a business enabler, “security teams must prioritise collaboration with product teams and invest in capabilities that automate security detection and remediation, seamlessly integrate into the product life cycle, and measure the impact on the business and customers,” according to the Forrester white paper.

How can you evaluate your level of maturity? Forrester is ready with a checklist of six stages in what it calls the Forrester Secure What You Sell Model. Those stages are discover, define, align, build, launch, and grow. Within each stage is a list of markers that help an organisation determine its current level of maturity and what it may need to do to reach a higher level. In essence, it lets users create their own report card.

Six stages to secure what you sell

Discover: A project in this early stage might be just a gleam in the eyes of the product team, but this is the time to conduct risk assessments, threat intelligence assessments, and possible abuse scenarios. Those can address security and privacy implications the product team may not have considered. It’s the beginning of the maturity activity called “planning ahead.”

Define: To design security into a product, security teams need to know its range of intended uses, who is going to be using it (target markets), and any regulatory requirements. It should also include requirements on upgrading, maintenance, and support throughout the product’s lifetime. The security team can then collaborate with the product team to design what Forrester calls “the thresholds of minimum viable security—the minimum controls necessary to protect the business when the product deploys.”

Align: This means setting staffing, tooling, and licensing requirements to protect the product once customers are using it. It may require new or custom-built tooling if the product will employ new technologies or development approaches. If the product uses open source or third-party software components (as almost all do), it’s important to determine how to manage that third-party risk. That includes creating an inventory, or software Bill of Materials, for all third-party supply chain dependencies including data, code, and materials.

Build: For those with expertise and experience in DevSecOps, the activities at this stage will be familiar. They include automated testing tools like static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA) integrated into the CI/CD pipeline. This will help developers address security issues throughout the process—instead of “shifting left,” the goal is to “shift everywhere” so that the right test is done at the right time. During penetration testing, security pros should consider misuse scenarios and test the product not just for what it should do, but also what it shouldn’t be able to do.

Launch: At this stage the product is generally available, so the security team must protect it with tools like web application firewalls, bot management, runtime application self-protection, and tamper proofing. These should be designed to protect both the product and customer data based on the risks and threats identified earlier in the life cycle. The team should also collect telemetry to help detect and respond to attacks.

Grow: The job of the security team at this final stage is to analyse feedback from protection technologies and compare the product’s security metrics with established baselines and benchmarks. A key goal is to make product security a competitive differentiator. That means analysing the customer experience to make any changes that will improve the balance of security and usability. 

Application security at every level

If you’re just getting started, don’t expect maturity to happen overnight. It’s going to take investments of time and in people. An organisation’s leaders shouldn’t give up if they can’t check all these boxes immediately because, as the cliché says, security isn’t an event. It’s a journey—a process. To help organisations evaluate where they are on that journey and what they need to do, Forrester concludes with some advice on what to do if you’re at the beginner, intermediate, or advanced level.

Beginner: Laying the foundation for product security requires updating security processes and tooling to remove undue friction for developers. Additionally, an assessment of the budget, skills, and tools you have will enable your security team to engage effectively with product teams at all stages of the product life cycle. 

Intermediate: The focus at this level should be on investments in automation and metrics. Select automated and integrated tools carefully and introduce them gradually. Then use metrics to measure their effectiveness. And make sure your product security initiatives extend across the entire product life cycle for both new and updated products.

Advanced: At this point, your organisation can turn product security features into revenue growth. But those features won’t yield a competitive advantage if nobody knows about them, so this is the time to engage with other business leaders to craft a strategy for creating awareness in the market. 

News Comment

Today's Industry

PT Autopedia Sukses Lestari Tbk (ASLC)

Rabu, 25 Januari 2023 - 09:30 WIB

ASLC Successfully Surpasses 2022 Used Car Sales Target via Caroline.id

PT Autopedia Sukses Lestari Tbk (ASLC), a company engaged in used vehicles auction and trading of used cars, succeeded in selling 2,481 units of used cars through used car dealers under its…

A woman is paying her attention to the Jakarta Composite Index board movement. (Document of INDUSTRY.co.id)

Kamis, 05 Januari 2023 - 22:29 WIB

New Economic Board, GOTO Share Moves Closer to Global Indices

The presence of the New Economic Board on the Indonesia Stock Exchange (IDX) brings many benefits to PT GoTo Gojek Tokopedia Tbk (GOTO). One of them is getting closer to the shares listing of…

PT Alkindo Naratama Tbk (“ALDO”)

Senin, 19 Desember 2022 - 23:51 WIB

ALDO Aims 2023 Sales to Increase More Than Double

PT Alkindo Naratama Tbk (“ALDO”), a listed company engaged in the integrated paper and chemical business are optimistic that the Company's performance in 2023 will improve, in line with…

Lauren Blasco of ACV.

Senin, 19 Desember 2022 - 22:39 WIB

Indonesian Chamber of Commerce and Industry taps AC Ventures’ ESG head to join task force

The Indonesian Chamber of Commerce and Industry (KADIN) recently tapped AC Ventures’ (ACV) Head of ESG Lauren Blasco to join its newly formed ESG task force, an elite group of stakeholders…

PT Adi Sarana Armada Tbk (ASSA)

Senin, 19 Desember 2022 - 21:12 WIB

Keep Optimistic, President Director of ASSA Adds Ownership

President Director of PT Adi Sarana Armada Tbk (ASSA), Prodjo Sunarjanto, has increased his portion of share ownership on 28 November 2022. Prodjo has purchased 1,128,300 shares at a price of…