Starting an Application Security Program
It's easy to purchase tools, but getting ROI and reduced risk is something that require a little hard work.
Originally, I authored this article for the Veracode Community Website.
I’ve Got the AppSec Tools, Now What?
An article for the Veracode Community:
Fantastic! Your org has purchased shiny new products that will seriously up your game against those pesky adversaries and take a bite out of risk. Often, the first question asked after such a purchase is, “now what?” The purpose of this article is to provide some thought provoking tips aimed to keep AppSec moving along.
Understand Your Landscape
Every industry, every company, and every team is different. Consider number of dev teams and total number of developers. Each company functions a little different from the next. Companies are organized, have diverse company culture and varying levels of software maturity. Wow! A lot of factors play into determining next steps, and ultimately the success of Application Security within your company. So, where do you start? Let’s consider a few more things.
Do you need to be a program manager or a hands-on devSecOps engineer? It depends upon the size of the organization, the number of software products, teams, and developers. Are you going to need to be hands-on-technical running the tools, automating scans and mitigating flaws? Or do you need to be a super-energetic program manager specializing in cat herding? Maybe something in between? Is AppSec going to be a team of one or a few? Will there be roles to fill? The aligned resource(s) should be reflective size. For example, a heads-down programmer who knows Application Security inside and out might lack skills necessary to lead a multi-national, multi company enterprise of 100’s or 1000’s of developers. However, in other scenarios that individual makes all the sense in the world.
Know Your Dev Teams
What does your appSec inventory look like? If you don’t have one already, it’s a good first step to get one started and commit to maintaining it. What programming languages are being used? How about development tools? Are teams Agile, Waterfall, or Wild West? Even for a company with one agile “2 pizza team”, an inventory will help in the formation of an appSec roadmap.
If you can’t embed within a team, the more you interact with them and speak their language, the greater chance for success. You don’t want to be the security personality that developers run away from. Rather, cultivating open and honest communication will help in the long term as you share in the success of high quality secure releases that lower application risk for the organization. As a check point, are developers coming to you asking questions, and is your only communication to developers, “Just fix your darn code”. As a developer who would you rather work with?
In large orgs, finding a Security Champion to help carry the AppSec banner will help multiply the efforts. As your program succeeds and grows, your time may start to spread thin. Champions can help with setting up scans, automation and mitigations, just to name a few activities. These individuals will have or develop the same AppSec passion that led you to where you are today. Security Champions will be a great resource going forward. A champion per team is a good goal to have in large environments. The individual will help keep things moving when you can’t be there yourself. Ultimately, all developers need to become secure developers, and Champions are a first step to help get there.
Leverage Your Veracode Resources
Your assigned account manager, customer success manager, and solution architect. They usually come with the product and their Raison d’Être is to make you successful! It’s important to get to know them, and keep the lines of communication open and prioritized. Challenge and hold the Veracode team accountable to help you leverage and get as much value from the tools as possible. Meet often, set goals and work together. Leverage consultation calls to get help get to the root of the problem with the hard issues. Consultation calls are a great way to get down to the core of the flaw quickly.
The Veracode squad is just as important as the tool itself. Lastly, leverage your two new favorite websites: Veracode Community Website and Veracode Help.
User Access to the Veracode Platform
Implement single sign on to Veracode if your company has the capability. Make it easy to get on Veracode to look at results. Regarding team size, think about the various roles, groups, and views that might be needed for accessing the platform. It is tempting to go with a flat structure where everyone sees everything, but you might be limiting yourself or creating extra work down the road with one all-encompassing team. A Baby Bear (just right) approach to teams, roles and groups will help not only for access, but also for reporting metrics and showing the value of Application Security.
Depending on how you roll out the platform (you do have a plan for that, right?) The number of users will likely grow. As the user base grows, it might be helpful to have a slide deck or develop a consistent step-by-step Veracode website walk thru to show new users. Be prepared to demo the Veracode website over, and over, and over again. Given Veracode’s automation capabilities, users may not need to get in very often, so it’s good to have reminder sessions to help keep the platform fresh in their minds.
It’s hard to go from 0 to 60 miles per hour in 1.99 seconds. Unless you are in a Tesla, it takes time to get up to speed and mature. A roadmap is a good way to show how the program will mature. Those executive-types love to see what you plan to do, how it will help reduce risk, and when you intend to get there. Will it be iterative? How many iterations? What percentage of repos will you be scanning and by when? How will tools be rolled out? Will you take a team-by-team approach, or roll out one tool at a time? At what point will automation be implemented? Follow the roadmap and adjust as needed. Each iteration is a notch in your maturity belt and a step closer to Plaid Speed!
Show Your Value
Your company has invested in AppSec tools, and most importantly, they’ve invested in YOU! If they didn’t believe you were the best person for the job, you wouldn’t be doing it. Success depends on your ability to show that the program is making things better. It is by showing how you are leveraging the tools, how teams are performing, and ultimately how you are performing. Using Veracode’s reporting capabilities is a great way to show this value.
Veracode comes with great out of the box reports that can be customized by role. It is possible to make a dashboard that shows exactly what a user needs to see based on their permissions, by leveraging the access groups you determined in the section above. A dashboard for each team that aggregates up the food chain provides a lot of value. For example, the team dashboard aggregates to a director’s dashboard that aggregates to a CISO/CIO view. An example of a metric might be a simple aggregated percent compliant metric for a CISO representing the whole enterprise. Whereas, a listing of code bases that pass or fail compliance would be more meaningful to a busy director. Of course, development teams need to see the nitty gritty details as feedback to identify and mitigate.
The article wasn’t about the technical aspects of the products and services you purchased. It was intended to help aspiring AppSec program managers and engineers to get a glimpse into the softer side of starting an AppSec journey.