Build a holistic AppSec program

What does it mean to create a holistic AppSec program? Find out what a holistic approach entails and how to get started.

DevOps Connect: DevSecOps @ RSAC 2022

Digital technology is the centerpiece of modern life today. All around us, technology is transforming end-to-end business operations, from digitally-focused companies to those simply updating existing processes. According to Gartner, 65% of executives report accelerating the pace of their digital business initiatives in 2021. And that digital agility—technology, work processes, and business—all depends on the software to run. It is therefore essential to be able to be sure that the software is safe and secure and that it can manage the risks.

Every modern business is a software company, so software is a big business risk. And as organizations look for ways to reduce their vulnerability to security breaches, many are placing the burden on the shoulders of software development teams to resolve all security issues. Or they just buy security software and trust it to manage risk. But in fact, a holistic approach to application security (AppSec) is the best approach to securing the organization and its software.

What does it mean to create a holistic AppSec program? Industry sectors and markets are all different, each with unique requirements. But they share the need to develop safe and secure software, meet security standards, and respond to threats to keep their business and their customers safe.

A holistic approach involves

  • Understand internal and external threats and risks
  • Building a solid foundation for your AppSec program
  • Maximize your AppSec tools

Watch the webinar to learn more

Application Security

Greater complexity, shorter development cycles, and the interconnectivity and permanent nature of software provide hackers with an always-available technological surface to try to exploit. Securing this software requires more than just tools: it requires prioritizing security and managing it proactively. This means aligning people, processes, and technology to address security risks based on an organization’s unique policies and business objectives.

We often focus on the technology and the tools, and forget about the processes when in fact the tools exist to complement the processes. If you focus only on one point in the software development life cycle (SDLC), your security profile is incomplete. You have to look at the entire life cycle. Place security at every stage of the development process, including coding, building, testing, releasing, deploying, monitoring, and more.

Organizations that use software live in a constant state of threat. For open source software, it can take days, months, or years from when a vulnerability is introduced to when it is discovered. But once this breach is known, it is vulnerable, as hackers are always on the lookout and ready to strike. For proprietary software, you typically only learn of a vulnerability when that vulnerability is exploited.

Build an AppSec culture

Traditional security methods slow the speed of DevOps, and large AppSec testing tools can clog build, test, and release pipelines. More security tools means more testing, which means more results that need to be correlated, deduplicated, and prioritized to ensure developers aren’t overwhelmed with data and unable to focus on the most important security issues. important.

A true AppSec culture is one in which people, processes, and technologies are aligned to minimize risk and transform the business. It’s a culture shared across the organization, not just IT or development teams. A complete AppSec culture includes security champions, metrics, planning, DevSecOps maturity framework, built-in DevSecOps, and training.

Safety Champions

Security champions are security-conscious employees within the IT or development team, or those who have security expertise and want to take ownership of the application security process by helping to enforce that process in the organization. entire SDLC. Champions also educate development teams on security best practices and stay current on current vulnerabilities and threats to software used by your organization, and internally track vulnerabilities and issues across teams.


If you don’t know where you are now, you won’t know what you need to grow or invest in for the future. A key step is to develop a measurement tool to understand how existing processes are performing and where they can benefit from improvement or additional resources or budget.


It’s important to create an actionable security plan based on your organization’s policies. A security plan is a living document. It will evolve and mature as you use it, as you discover more about the people, processes, and technologies involved, and as you discover gaps. Any plan is good as long as it works, and then you can create a new one.

To create or update a security plan, an organization must

  • Build consensus on goals
  • Determine the current state of the secure SDLC
  • Identify the target state
  • Set budget and path forward
DevSecOps maturity

The key to a robust and holistic AppSec program is establishing a DevSecOps maturity framework. This means defining governance and processes, creating a secure design and architecture, and ensuring that all processes operate within this framework. Then you can identify the tools deployed at each stage of DevSecOps and compare them to the plan.

Built-in DevSecOps

Integrate AppSec naturally into the organization and into every phase of software development.


Training employees so they know how to manage DevSecOps tools is essential. Using a tool incorrectly is as bad as not having one at all.

Intelligent, policy-based DevSecOps

It is not possible for a security program to succeed without the right tools. Test at the right time and at the right level to build truly secure software. Tools can show security gaps and inform how to deal with them effectively. But tools alone are not enough. An integrated solution centralizes the view and integrates feedback from an organization’s security tools, enabling the development team to prioritize tickets, track remediation, and provide actionable insights.

Many organizations struggle to scale their AppSec to keep pace with development cycles. It’s a constant challenge to get the right combination of tools, people and processes. The Building Security in Maturity (BSIMM) model was designed to provide a roadmap for a mature AppSec program. To learn more, download BSIMM12 Digest: The CISO’s Guide to Next-Gen AppSec today.

Ryan H. Bowman