Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Leadership and ManagementLogical SecuritySecurity & Business Resilience

How to assess your organization’s application security

By Robert Deane
software developer

Image from Pixabay

August 4, 2022

It is abundantly clear to almost everyone responsible for organizational application security that there is no widely accepted approach for assessing the security of the wide portfolio of applications they are charged to manage and maintain.

Part of the challenge lies within the origin of the application code and its residency — internally developed, hosted in-house or third-party software, cloud-based applications (for example). While security engineers may be able to readily evaluate the security controls in place for internally developed software that is hosted in the company’s datacenter, gaining visibility into the security of code that resides outside of network boundaries may be a much more difficult endeavor.

Security leaders are often left with conducting third-party risk assessments that are less reliable, lack depth and rely on vendor attestations. Let’s concentrate on the applications that can be actively assessed by those individuals in our own security organizations.

Leveraging frameworks to inform software security strategy

There is no shortage of frameworks that may be used to formulate and implement a software security strategy that can be customized to address the specific risks facing an organization.

Regardless of the approach taken, understanding the maturity of the application security program will guide security professionals in taking the necessary steps required to enhance the technical, administrative and physical security controls in areas where the largest gaps exist.

The judicious use of application security metrics

Once security professionals have applied the learnings that have resulted from assessing the maturity of the company’s application security program, it is critical that they monitor the effectiveness of these newly designed and implemented security controls. The only reasonable way to do this is to create security metrics that make sense for the organization and its risk tolerance. By thoughtfully developing application security metrics that are both easy to collect and actionable, it is much more likely that the security function will be able to reduce the overall security risk profile for any given application.

The number of metrics that may be applied to an organization’s application security program are endless, but a few high-level ones that may be used to track progress and compliance to help avoid breaches, fines and lawsuits could be:

  • Percentage of applications that are part of the organization’s secure development lifecycle
  • Time required to remediate vulnerabilities
  • Flaw creation rate
  • Number of applications that are covered by automated security testing
  • Number of applications, code libraries and open-source components that are blocked against developer use

These types of measurements help security teams understand the strengths and weaknesses of the organization’s software development process, security operations and coding practices. Ultimately, metrics allow an organization to measure successes and failures of past and current security investments and provide quantifiable data to support the allocation of future capital and operational investments.

Why assessing application security is so important

A rigorous assessment of the organization’s application security and supporting program will enable the identification of potential threats before they have an impact to the operation. Given that today’s software-driven businesses can be so severely impacted by the increasing frequency of application exploits, it is critical to address application security in a meaningful way. Without understanding the security posture of enterprise applications, it is impossible to defend the organization against targeted attacks in the future.

KEYWORDS: application security cyber security leadership data security security metrics third-party risk vulnerability assessment

Share This Story

Robert deane

Robert Deane is Director of Advisory at Security Compass Advisory. He is a forward-looking, innovative application security expert with over 20 years of experience serving clients in the Financial Services, Healthcare and Manufacturing industries. His passions include applied cryptography, cloud computing and secure application design. Prior to joining Security Compass Advisory, Deane worked in a series of technical and leadership roles where he has built high-performing teams that solve complex problems for his clients. Robert has a B.A. from the University of Massachusetts at Amherst and MBA from Fordham University in NYC.

Blog Topics

Security Blog

On the Track of OSAC

Blog Roll

Security Industry Association

Security Magazine's Daily News

SIA FREE Email News

SDM Blog

Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing