EVERYTHING You Need to Know About

MATURING YOUR
APPLICATION SECURITY
PROGRAM

MATURITY MATTERS

Software plays a central role in business processes and in our daily lives, and companies of all sizes and industries are building, buying, and downloading more applications than ever before. However, this increased dependence on software makes the applications powering our world a prime target for cybercriminals. Applications are the No. 1 attack vector for cybercriminals and the main source of breaches.

In addition, the way software is developed is changing. Contemporary application development methodologies like DevOps are increasing the speed and precision with which software is produced and deployed. The increased speed and precision have created a modern software factory akin to the manufacturing factories of past industrial revolutions.

And like past industrial revolutions and manufacturing-based economies, the application economy depends on high-quality and secure products (applications) in order to thrive. The speed and scope of software development in organizations, coupled with other evolutions in how software is made, such as the use of open source and third-party components, are creating new challenges in ensuring the security of software.

A different approach to application security (AppSec) — one that aligns with the new role of software and today’s development paradigms — is now key to effective information security.

And that approach entails an AppSec program that both integrates security seamlessly into developer processes, and that is a comprehensive, mature, ongoing program — rather than a one-off project. Why? Because these programs get results. Research for our annual State of Software Security report found that organizations with long-standing, comprehensive AppSec programs had a 35 percent better OWASP pass rate than programs in place for less than a year.

“There is no application security silver bullet.
It’s going to take more than one automated technique and manual process to secure your applications. Gather the strengths of multiple testing techniques along the entire application lifetime to drive down application risk in your organization."


Chris Wysopal
Veracode
Co-Founder and CTO

Unfortunately, application security is frequently misunderstood. Too often, business and security leaders don't know how or where to begin, or they lack the technology framework to fully execute on a plan. As a result, they rely on an approach that delivers subpar results.

We typically find that organizations are at one of four maturity stages in addressing application security. Those four stages are: a reactive approach, which relies on ad hoc tools and security assessments that reside outside the development lifecycle; a baseline approach that depends on assessments at the end of the software development lifecycle (SDLC); an expanded approach that begins to integrate tools at various stages but often lags behind the required pace; and an advanced approach that manages application security in a more holistic and integrated way.

Regardless of which stage you’re currently in, however, your goal should be to move toward a mature, comprehensive program, which is ultimately the most effective way to protect your application layer.

A recent GitLab survey found that more than half of respondents
deploy software multiple times a day, once a day, or once every few days.

A TALE OF FOUR STAGES

Here's a more detailed look at the four stages of application security maturity and how they impact your overall security framework:


Reactive.

Organizations that fall into this group typically find themselves driven by broad security requirements, including government regulations, industry compliance or customer demands. The problem with constantly responding to specific needs and requirements is that application security winds up revolving around manual penetration testing and other reactive methods. Unfortunately, this method devours money and staff time.

What's more, if your organization doesn't respond effectively to every threat — and many of them will unfold without warning — your enterprise faces a greater risk of a breakdown. This could lead to reputational damage or the direct loss of sales. A reactive approach is often slow, it doesn't scale effectively, and it lacks the automation and integration that's required for digital-age software development and business. At this level, most organizations also lack centralized governance and reporting and lag in developer involvement and education.

  • Learn more about your next steps if you're in the reactive stage.

Baseline.

This approach takes aim at a wider array of application security functions, though it most often centers on business-critical applications. The most common techniques associated with a baseline approach are manual penetration testing and dynamic analysis (DAST).

Although a baseline approach boosts integration and automation, it becomes increasingly challenging as an enterprise moves to Agile and DevOps. With this approach, most security assessments take place toward the end of the software development lifecycle (SDLC). As a result, flaws are more expensive and difficult to fix — in some cases requiring 10 times more money and resources. The end result is a process that’s often slow, inflexible, and unscalable.

  • Learn more about your next steps if you're in the baseline stage.

Expanded.

As organizations improve their processes and technology, they wind up adopting an expanded approach. This approach embeds some level of automation into application security across the SDLC. The tools used at this stage include static and dynamic analysis, along with manual penetration testing. The goal is to deliver the services and support developers require to generate, maintain, and fix code.

An expanded approach is among the most common methods used today. However, it, too, creates friction because an expanded approach still doesn't address fundamental challenges like scale, speed, and costs. It also lags in development involvement and education. Once again, as organizations move to Agile and DevOps, the deficiencies associated with this approach become more glaring.

  • Learn more about your next steps if you're in the expanded stage.

Advanced.

The goal for an organization should be, over time, to reach the final stage — an advanced approach. As the name implies, this approach encompasses a more comprehensive framework for application security. The methodology aims to protect all code and applications — from those developed internally to those made up primarily of open source components — and across application lifecycles, from development to QA to production. Notably, in this stage, developers own the testing and fixing of security-related defects in code. Security testing is integrated into their existing tools and processes, leaving the security team to focus on more strategic endeavors like policy and training. Not only does this lead to a more cost-effective model, it delivers significantly better protection.

Fact
70% of applications have a security flaw in an open source library on initial scan.2

2. State of Software Security: Open Source Edition

EMBRACING MATURITY

A mature application security program might seem intimidating to some organizations. But it’s important to remember that there is an established series of steps most organizations take when developing an application security program. The keys are to start small, keep things simple, prove the value, and then mature the program over time. In fact, the most successful companies we’ve worked with have started by securing a few apps at a time. In addition, if you build security assessments into the development process, reaching maturity is less daunting. The journey to a more advanced application security framework and a more mature approach to security starts with a few key steps:


Executive buy-in and support.

Improved application security — and cybersecurity in general — starts with support from the highest corners of the enterprise. Without backing and adequate funding, an organization will remain perpetually mired in reactive mode. In order to gain support, it's necessary to keep your senior-level executives and board-level leaders informed about application security vulnerabilities and risks, while keeping the discussion broad and strategic. This requires facts, numbers and, whenever possible, a business case. It's critical to answer any and all questions they might have and ensure that any concerns are addressed promptly. Once the executive team buys in, other groups in the enterprise will follow. To get started, check out our guide, Building a Business Case for Expanding Your AppSec Program.

GUIDE
For help navigating the most commonly asked questions by executive leadership when establishing or maturing an AppSec program, explore our guide, Communicating Application Security Success to Your Executive Leadership.

Content Contributed by the Veracode Customer Advisory Board Working Group


Developer buy-in and support.

With the emergence of DevOps, and security’s “shift left,” application security won’t happen without developer buy-in, support, and participation. To ensure the success of your application security initiative, it’s essential to work closely with your developers so they understand the guidelines, strategies, policies, procedures, and security risks involved with application security. What’s more, they must be prepared and equipped to operate securely within their particular development processes. Check out our infosheet, 4 Ways to Increase Developer Buy-In of AppSec, to learn how to get your development team on board.

TIP
Create a security champion Consider asking a developer with an interest in security to be a security champion. These champions help to reduce culture conflict between development and security by amplifying the security message on a peer-to-peer level. They don’t need to be experts, more like the "security consciousness" of the group.


An application security maturity assessment.

It's impossible to reach a destination if you lack a map. In this case, the map is a security maturity assessment. It provides insights into key factors, including where an enterprise is currently at in terms of AppSec maturity and where it hopes to be.


Program goals.

With an assessment of where gaps, deficiencies, and opportunities exist, it's possible to establish clear goals for improving your organization's security posture. For many businesses, the OWASP Top 10 serves as an excellent guide for remediating vulnerabilities. Of course, many other tools and metrics exist. The common denominator is that it's important to understand the value of the goals and set predictable timelines and metrics for gauging results. Without definable standards, it's difficult, if not impossible, to achieve consistent results through application security and other cybersecurity tools.


An inventory of current applications and software code.

Another important piece of the puzzle is identifying the current state of the software and applications within your organization. An understanding of where your organization is at with application security, as well as program goals, does no good if your enterprise doesn't know what exactly it’s looking for and where the vulnerabilities lie. Too often, organizations succumb to attacks because they lack visibility into the web perimeter and other exposure points to the outside world. In fact, Veracode research has found that organizations have between 30 percent and 40 percent more exposure than they realize. A discovery scan of the perimeter — and the resulting inventory of exposure points — is a crucial step in reducing risk. Such a scan can help you determine where you might need to apply patches or eliminate sites that are no longer in use but are still active.

whitepaper
Get all the details on starting your application security program on the right foot with, The Ultimate Guide to Getting Started With Application Security.


Defining the policy and the program.

With a thorough understanding of all the various components of your application security program, it's possible to develop clear and relevant policies and procedures. Even with code scans and various other tools in place, it's important to have processes that ensure your organization is adhering to regulatory controls, industry standards, and internal policies. Ensuring that teams are synced and that different groups within your organization are communicating and collaborating effectively, is paramount. A mature application security program incorporates clear policies and guidelines — and has the mechanisms in place to make sure people follow them.

Simplify Your Path to AppSec Maturity With the Veracode Verified Program

When you’re part of the Veracode Verified program, you’ll benefit by:



Getting solid guidance and a proven roadmap for maturing your application security program

Generating clear evidence to show your executive team that your program is making progress

Staying ahead of customer and prospect security concerns, and speeding your sales cycle, without straining limited security resources

Being able to prove at a glance that you’ve made security a priority and that your security program is backed by one of the most trusted names in the industry

FIND OUT MORE ABOUT VERACODE VERIFIED.

EXECUTION IS EVERYTHING

Although planning and analysis are crucial to developing a mature application security framework, there's also the challenge of executing on the plan. This translates into engaging the development team and putting a remediation effort into motion, incorporating advanced testing methods and tracking on key metrics. All of these things can’t happen without a coordinated effort. The goal is to boost the level of application security in your organizations without introducing steps and procedures that slow down software development, particularly in a fast-moving DevOps environment.

Today, success requires a deep understanding of development workflows and processes — and an ability to integrate them into the fabric of your business. This, in turn, requires teams to follow guidelines, standards, and protocols. However, a team can also create friction and block progress if not everyone understands the value of the plan or has the tools to integrate application security into development processes on a daily basis. For instance, developers must know what to do with scanning results, how to avoid introducing the same vulnerabilities in the future, and how to promptly fix code without slowing down work.

Typically, four key metrics must be used when putting the application security framework in place:

Compliance
with policy

Flaw prevalence

Fix rate

A custom metric that aligns with your particular business goals

Our State of Software Security report found that remediation coaching improved fix rates by 88%.

When an enterprise sets the bar at the appropriate level and makes results achievable, it's possible for developers and security teams to hit the sweet spot on the performance-protection continuum. Ideally, every policy should revolve around this concept. It's the foundation of an effective AppSec program.

percent of the typical Java application is made up of open source libraries3

3. lbid

GUIDE
Get detailed, practical advice and lessons learned on the AppSec road to maturity from someone who’s been there. Download From Ad Hoc to Advanced Application Security: Your Path to a Mature AppSec Program.

TECHNOLOGY ISN'T
AN AFTERTHOUGHT

A more sophisticated approach to application security also requires the right combination of tools and technologies. As a rule, multiple testing techniques are more effective than a single, blunt-force method. A multi-dimensional framework also helps spot different types of vulnerabilities that might otherwise go undetected. For example, research indicates that there are differences in the types of vulnerabilities discovered by examining applications dynamically at runtime, as compared to doing static tests in a non-runtime environment.

In order to achieve an inception-to-production view — essentially a complete SDLC approach — it's important to not only rely on a mix of static, dynamic, and manual testing, but also on tools that allow developers to test code early and frequently. This includes tools such as Veracode Static Analysis, which brings security scanning into the IDE while providing immediate feedback.


Our State of Software Security Volume 11 report found that organizations that scan their applications infrequently (less than 12 times in a year) spent about 7 months to close half their open findings, while organization that scan their applications at least daily reduced time to remediation by more than a third, closing 50 percent of flaws in 2 months.

A Mature Application Security Program Features:

Static analysis


Dynamic analysis

Software composition analysis

Penetration testing

See these different technologies in action.

GUIDE
Find out more about the different types of application security testing and the strengths and limitations of each in Your Guide to Application Security Solutions.

According to the National Institute of Standards and Technology (NIST), the cost of fixing a vulnerability during post-production is 30x more expensive than addressing it during earlier stages.4

4. lbid

5 ESSENTIAL QUALITIES OF A MATURE APPSEC FRAMEWORK


  1. An enterprise must scale to assess all internally developed apps in the SDLC.
  2. Teams must not just find vulnerabilities but mitigate or remediate them as well.
  3. An organization must create an inventory of all components and the versions used in development. This provides an easy way to update a component to the latest version if a vulnerability is discovered.
  4. Developer training on secure coding is a key to AppSec success. Most developers have little to no security training — in school or on-the-job.
  5. The enterprise must continually measure and iterate.

SUCCESS STORY
Hear first-hand how Veracode and a large healthcare company worked together to build an application security program.



A DOLLARS-AND-SENSE APPROACH

In an era of escalating threats and risks, it's essential to address application security in a sensible and effective way. Web application attacks have emerged as the No. 1 risk to organizations, yet application security comprises only a small fraction of overall security spending.

At the heart of an effective SDLC operation is a multi-faceted approach to application security. This means moving away from one-off scans or penetration tests and establishing a comprehensive and integrated framework for continual assessment and action. While it's nothing short of essential to secure business-critical applications, application security must permeate processes and workflows that touch every piece of code. Only then can an organization adopt a mature approach and minimize the risks in today's business landscape.

In the end, application security won’t be sufficiently addressed with a one-off project. But forward-thinking organizations are reducing their risk and moving their businesses forward with ongoing, comprehensive application security programs. Although creating this program might seem overwhelming at first, most organizations break it down into a series of manageable steps and slowly decrease their risk over time.

case study
Read how a The California Department of Technology improved its operations with Veracode AppSec.




ABOUT VERACODE

Veracode is the leading AppSec partner for creating secure software, reducing the risk of security breach and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of automation, integrations, process, and speed, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities. Veracode serves more than 2,500 customers worldwide across a wide range of industries. The Veracode cloud platform has assessed more than 14 trillion lines of code and helped companies fix more than 46 million security flaws. Learn more at veracode.com, on the Veracode Blog, and on Twitter.

Copyright © 2021 Veracode. All rights reserved. All other brand names, product names, or trademarks belong to their respective holders.