It is abundantly clear to almost everyone responsible for organizational application security that there is no widely accepted approach for assessing the security of the wide portfolio of applications they are charged to manage and maintain.
Part of the challenge lies within the origin of the application code and its residency — internally developed, hosted in-house or third-party software, cloud-based applications (for example). While security engineers may be able to readily evaluate the security controls in place for internally developed software that is hosted in the company’s datacenter, gaining visibility into the security of code that resides outside of network boundaries may be a much more difficult endeavor.
Security leaders are often left with conducting third-party risk assessments that are less reliable, lack depth and rely on vendor attestations. Let’s concentrate on the applications that can be actively assessed by those individuals in our own security organizations.
Leveraging frameworks to inform software security strategy
There is no shortage of frameworks that may be used to formulate and implement a software security strategy that can be customized to address the specific risks facing an organization.
Regardless of the approach taken, understanding the maturity of the application security program will guide security professionals in taking the necessary steps required to enhance the technical, administrative and physical security controls in areas where the largest gaps exist.
The judicious use of application security metrics
Once security professionals have applied the learnings that have resulted from assessing the maturity of the company’s application security program, it is critical that they monitor the effectiveness of these newly designed and implemented security controls. The only reasonable way to do this is to create security metrics that make sense for the organization and its risk tolerance. By thoughtfully developing application security metrics that are both easy to collect and actionable, it is much more likely that the security function will be able to reduce the overall security risk profile for any given application.
The number of metrics that may be applied to an organization’s application security program are endless, but a few high-level ones that may be used to track progress and compliance to help avoid breaches, fines and lawsuits could be:
- Percentage of applications that are part of the organization’s secure development lifecycle
- Time required to remediate vulnerabilities
- Flaw creation rate
- Number of applications that are covered by automated security testing
- Number of applications, code libraries and open-source components that are blocked against developer use
These types of measurements help security teams understand the strengths and weaknesses of the organization’s software development process, security operations and coding practices. Ultimately, metrics allow an organization to measure successes and failures of past and current security investments and provide quantifiable data to support the allocation of future capital and operational investments.
Why assessing application security is so important
A rigorous assessment of the organization’s application security and supporting program will enable the identification of potential threats before they have an impact to the operation. Given that today’s software-driven businesses can be so severely impacted by the increasing frequency of application exploits, it is critical to address application security in a meaningful way. Without understanding the security posture of enterprise applications, it is impossible to defend the organization against targeted attacks in the future.
