Ben Tomhave and Ramon Krikken at Gartner have released a paper called "Application Security: Think Big, Start with What Matters," (www.gartner.com/doc/2765517/application-security-think-big-start) which describes concrete steps on how to cost effectively deploy an app sec program. We highly recommend that organizations seeking to build an app sec program to read the report.
Krikken and Tomhave have defined a realistic set of guiding principles that can be leveraged to prioritize the use, growth and maturity of each given framework component.” In our view, the framework is valuable because of the following realities in most organizations:
• There aren’t enough application security experts available to rely on manual activities. From the report in regards to the “Cost-efficiency and agility require automation component “There is no reasonable way to scale manual human activities relative to appsec without exploding costs. As a result, it’s important to leverage automation in order to embed and scale appsec practices in a cost-effective manner.”
• Defining security requirements is fundamental to achieving secure software development. One recommendation from the report is to “Start by implementing application security testing (AST) and creating basic security feature requirements.”
• Security isn’t what drives business revenue or operating efficiencies: features do. Software teams are self-optimized to produce business value, and application security programs need to adapt to this rather than the other way around
All too often, we have seen organizations invest only in application security testing and education as the only two components of their application security programs. The net result is an expensive “patch and fix” approach that self optimizes only for the risks that scanners are able to catch. Tomhave & Krikken point out that: “Anecdotally, it is believed that SAST [Static Application Security Testing] only covers up to 10% to 20% of the codebase, DAST [Dynamic Application Security Testing another 10% to 20% (minimal overlap with SAST), with the end conclusion being that traditional AST really only covers about 40% or less of your codebase.”
Organizations often struggle to move past education & testing because they haven’t found solutions that scale with a limited security staff. The authors also dispel the myth that it’s impossible to automate early-phase secure SDLC activities: “Automated incorporation of security requirements into the overall requirements management process should be sought out and leveraged wherever possible”.
Overall, “Application Security: Think Big, Start With What Matters” should be on your short-list of reference material if you’re looking to lower the costs and decrease the risk of software security.