Micro Focus is now part of OpenText. Learn more >

You are here

You are here

App sec maturity: How to get there—and stay there

John P. Mello Jr. Freelance writer

The world runs on software. That's one of the reasons applications are a prime target for cyber criminals and other threat actors seeking illicit gains from organizations. It's also why it's more important than ever to have a mature application security program in place and to make sure it remains robust as it grows and ages.

Generally speaking, an app sec program consists of a set of risk-mitigating controls and business functions that support the discovery, remediation, and prevention of application vulnerabilities. Those controls are typically written policies, procedures, guidelines, and standards for ensuring that secure development practices are followed and that the technological and operational processes that implement them are in place.

Setu Kulkarni, vice president for strategy at WhiteHat Security, an application security provider, emphasizes measuring leading indicators, or predictors of success, and lagging indicators, or the success of security outcomes. He also recommends the inclusion of a feedback loop that allows an organization to implement improvements, avoid failures, and introduce rapid experimentation.

"Maturity means that security outcomes are well understood."
Setu Kulkarni

In a mature app sec program, overall application security is the job of the security team, while testing and fixing of defects is left to the development teams. Mature programs typically include developer remediation coaching and electronic learning.

Security coaching is a huge part of having people on a mature app sec team influence developers either one-on-one or one-to-many, by helping them fix hard problems in the moment, diving into the code, working with people shoulder-to-shoulder, said Chris Romeo, CEO and co-founder of Security Journey, an application security education firm.

"Security education is also important, because mature app sec programs have to have a mechanism to teach developers who are just joining the company the foundation of security and how to use security tools."
Chris Romeo

However, the education component in a mature program should be for more than new hires. As the threat landscape changes, it is critical to ensure that software developers are equipped with the skills to write secure code, said Ariel Weintraub, CISO of Massachusetts Mutual Life Insurance.

"Mature programs should have an education platform that allows developers opportunities to continuously increase their knowledge on best practices." 
Ariel Weintraub

Here's what constitutes a mature application security program, plus how to get there—and stay there. 

Balance culture, team, and process

Mature programs should be testing all applications—internal, third-party, and those assembled with open-source components—and should apply a variety of testing techniques in both runtime and non-runtime environments.

What's more, developers should be able to test their code frequently and early in the software development lifecycle. "Code is cheap to fix as you're writing it because you have the right context and right knowledge in the moment," said Hasan Yasar, technical director of the continuous deployment of capability group in the Software Engineering Institute at Carnegie Mellon University.

"If you miss something during code review, then you have to rely on static analysis," Yasar said. Static analysis may be done every day or at every code commit, but if the code isn't being submitted frequently to the code repositories, static analysis isn't going to catch anything until late in the development process, he added.

Metrics are also important in a mature app sec program. Among the metrics and key performance indicators (KPIs) are compliance, flaw prevalence, fix rates, industry standards, and business- and goal-specific performance.

In addition to KPIs, a mature program should also identify key risk indicators. "Organizations should understand their risks associated to application security," MassMutual's Weintraub said.

"In order to mature, organizations must understand the story their metrics are telling them. This is critical to paving a path and prioritizing work in order to focus on the most critical aspects of the program."
—Ariel Weintraub

Sebastien Deleersnyder, co-leader of the OWASP Software Assurance Maturity Model (SAMM) project, added, "A mature security program should have some way to measure its maturity level, otherwise it's hard to call it a maturity model."

Creating a mature app sec program is a balancing act, WhiteHat's Kulkarni said. "It is like the classic speed-quality-cost conundrum," he said. "How do you optimize for all three?"

What Kulkarni has found is that to build a mature app sec program, there needs to be adequate focus on culture, team, and process. "You need to build the right collaborative culture for security, cultivate the right team and not just rely on hyper-experts, and finally iterate over the process of app sec."

"The key here is that it takes time—up to 18 months before one has a mature app sec program." 
—Setu Kulkarni

How to get started

When beginning the journey to maturity, a security model—a BSIMM or OWASP SAMM—can be useful. "The real value of security models is that they help you understand your current state and give you a road map to a future state," said Sandy Carielli, a principal analyst at Forrester Research.

"That's why I like maturity models. They allow you to determine what gaps are critical to you. Then, based on your size and your scale, you can pick a couple of areas most important to you."
Sandy Carielli

At first glance, security models such as BSIMM can be daunting. That's why it's important to cull your activities. "BSIMM gives you a long checklist of good things you could be doing, but you really only need three or four things to get started," said Larry Maccherone, an agile, DevOps, and DevSecOps consultant and one of the founders of the Build-Security-In initiative, a precursor to BSIMM. "What we did wrong when we created BSIMM was we focused on making it comprehensive," he explained.

"You end up with this long list of things, and you don't know where to start. Having one, two, or three things for each engineering team to be working on at one time is key. That is the No. 1 thing of a mature DevSecOps transformation program."
Larry Maccherone

While using a framework is useful, it must be used carefully. "You have to have someone who's been there," advised Romeo. "If you pick up OWASP SAMM in a vacuum and say, 'I'm going to do this,' you'll make some progress, but it's like reading a textbook and then performing surgery. "

Caroline Wong, chief strategy officer at Cobalt Labs, a penetration testing company, has performed more than three dozen BSIMM assessments during her career. She identified four categories of application security activities to focus on when starting the road to a mature app sec program.

First, she said, a mature program must have governance. Consideration must be given to compliance regulations, relationships with other organizations, and having a solid understanding of what it is the organization is supposed to be securing in the first place.

"It’s also important to define metrics up front so that you can demonstrate the success of your program over time."
Caroline Wong

It's critical that an organization know what it's being protected from. That's done with threat modeling. "When I go into a new company and I have to start somewhere, I always start with threat modeling because it teaches how to think about design from a security perspective," Security Journey's Romeo said. "It also replicates itself among development teams. After someone understands how it works and its value, they start to tell other people, and it magnifies itself across an organization."

A mature program must find security issues. Those issues exist in two broad categories: bugs, which are code-level security issues, and flaws, which are design-level defects. There are many ways to find security problems at different points in any software development lifecycle, whether an organization follows a waterfall, agile, or DevOps methodology.

Healthy resolution curves

A mature program must fix errors. It is not good enough to focus on finding security issues, Cobalt Labs' Wong said. The quality of software does not improve until the problems are addressed or eliminated. Fixing security issues requires effective communication, coordination, and integration with development teams and processes.

The practice of getting to healthy resolution curves before expanding the footprint is the sign of a mature program, BSIMM co-founder Maccherone said.

"I'm talking about resolution curves from the very first conversation that I have with a development team, because that's all that matters. The findings don't matter if you can't resolve them."
—Larry Maccherone

He explained that most development teams want to use every tool they can get their hands on and use them on a wide swath of applications. Then they want to leave resolving problems to later or to someone else.

When development teams come to him that are eager to use a battery of scanning tools, he steers them to first use a software composition analysis (SCA) tool, which  software dependencies, where 70% of flaws occur. "Those are the highest risk because they're well known," Maccherone said.

"If a bad guy is going to invest energy in figuring out an attack on an open-source library, he wants it to be used by tens of thousands of apps."
—Larry Maccherone

"I used to tell my teams, 'Let's do SCA first and see how long it takes you to get to healthy resolution curves before we give you the other tools," he said. "They don't like that. If they have to modify the pipeline, they'd like to do it all at once."

For him, there's a big cost consideration. "It cost me $200 a seat for an SCA license," he continued. "It cost me $800 a seat for a SAST license. If the SCA license is finding 70% of the risk, I want you to show me you're going to get value out of the spend on the SCA license before I spend four times as much on a SAST license."

A mature app sec program also needs to prevent security issues from happening in the first place. Wong maintained that the people who build software must understand why vulnerable code is insecure. Developers must be empowered with tech-stack-specific knowledge and tools to help them avoid creating security bugs and flaws in the first place.

"Ideally, good programming practices and well-designed frameworks make it easier for developers to write secure software by default and harder for them to make mistakes."
—Caroline Wong

Cloud environments must be configured correctly to prevent security vulnerabilities from being exploited, and attacks must be discovered and stopped as early as possible in order to minimize damage, she added.

How to stay there

As an app sec program matures, how can it be kept that way? "You can't get complacent," Forrester's Carielli said. "The sign of a mature organization is that you have the kind of supporting infrastructure and awareness in place to maintain your app sec program."

"A lot of it is: Keep doing what you're doing, but realize that as processes change and technologies evolve, your program is going to have to evolve with them," she continued.

"There's no place where you reach a summit and can say, 'Congratulations, we're mature,' and you don't have to do anything anymore."
—Sandy Carielli

MassMutual's Weintraub advised organizations that want to maintain the maturity of their app sec programs to listen to their security intelligence teams. "As we find out more about how threat actors are leveraging various types of vulnerabilities, we must be ready to shift our programs to assess and take appropriate actions," she said.

Organizations also need to continually adjust their maturity models to meet their needs. "If you opt to use maturity models to regularly benchmark your app sec program, it’s important to be receptive to the resulting output," counseled Michael Isbitski, technical evangelist at Salt Security, a provider of API security.

"Scores will be good and bad, and they will also change over time," he explained. "You have to continuously assess what’s working or not working and invest in areas of weakness accordingly."

Like any well implemented organizational process, an app sec program requires continuous care and feeding, added WhiteHat's Kulkarni. "One area where I see app sec programs rapidly deteriorate once steady state is reached is a lack of ongoing funding," he said.

A good, steady-state application security program will be a silent contributor to success, Kulkarni continued, saying, "And often, when there are no perceptible issues, organizations tend to divert funds from the app sec program to other demanding programs."

Make sure your app sec thinking is long term

The app sec program needs to be funded forever, Kulkarni said. That's because the applications being secured by the program and the threat landscape in which the applications operate keep changing. A good app sec program considers this changing operating environment, and that requires ongoing funding.

Keep learning

Read more articles about: SecurityApplication Security