What is the maturity level of your AppSec program?

Using the Forrester Assessment, you can measure the maturity of your AppSec program to help identify areas for improvement.

Any organization that wants to secure its software should make the maturity of its AppSec program its holy grail. Maturity means making safety the first thought, not an afterthought. This means building security into software throughout the development lifecycle, without trying to fix it at the last minute before production.

Because achieving the desired results – building trust in the software – doesn’t happen by accident. As a recent analysis by Forrester Research indicates in a white paper titled “Assess the maturity of your product safety program”, maturity requires more than just integrating security tools or deploying application protections.

To reach a level of maturity where product safety is a business enabler, “security teams must prioritize collaboration with product teams and invest in capabilities that automate security detection and remediation, integrate seamlessly into the product lifecycle, and measure business impact and customers,” according to Forrester’s white paper.

How can you assess your level of maturity? Forrester is ready with a six-step checklist in what it calls the Forrester Secure What You Sell model. These stages are discovery, definition, alignment, construction, launch and growth. Within each stage is a list of markers that help an organization determine its current level of maturity and what it may need to do to reach a higher level. Essentially, it allows users to create their own newsletter.

Download the Forrester report

Six steps to secure what you sell

Discover: A project at this early stage may just be a glint in the eyes of the product team, but now is the time to lead risk assessments, threat intelligence assessments and possible abuse scenarios. These can address security and privacy concerns that the product team may not have considered. This is the beginning of the maturity activity called “planning ahead”.

To define: To design security into a product, security teams need to know its intended range of uses, who will use it (target markets), and any regulatory requirements. It should also include requirements for upgrades, maintenance, and support throughout the life of the product. The security team can then work with the product team to design what Forrester calls “Minimum Viable Security Thresholds—the minimum controls needed to protect the business when the product is deployed.”

Align: This means setting personnel, tooling and licensing requirements to protect the product once customers use it. It may require new tools or custom tools if the product uses new technologies or development approaches. If the product uses open source or third-party software components (as almost all do), it is important to consider how to manage this third-party risk. This includes creating an inventory, or Materials Bill of Materials softwarefor all third-party supply chain dependencies, including data, code, and materials.

To build: For those with expertise and experience in DevSecOps, the activities at this stage will be familiar to you. They include automated testing tools such as Static Application Security Testing (SAST), dynamic application security testing (DAST) and software composition analysis (SCA) integrated into the IC/CD pipeline. This will help developers troubleshoot security issues along the way. Instead of “moving left”, the goal is to “move everywhere” so that the right test is performed at the right time. While penetration testing, Security professionals should consider misuse scenarios and test the product not only for what it should do, but also what it shouldn’t be able to do.

To throw: At this point, the product is generally available, so the security team should protect it with tools such as web application firewalls, bot management, runtime application self-protection, and protection against the forgeries. These should be designed to protect both product and customer data based on the risks and threats identified earlier in the lifecycle. The team must also collect telemetry to help detect and respond to attacks.

Grow: The job of the security team in this final stage is to analyze feedback from protection technologies and compare the product’s security metrics with established baselines and benchmarks. A key objective is to make product safety a competitive differentiator. This means analyzing the customer experience to make changes that will improve the balance between security and usability.

Application security at all levels

If you’re just getting started, don’t expect maturity to happen overnight. This will require investment in time and human resources. Leaders of an organization shouldn’t give up if they can’t tick all of these boxes immediately because, as the cliché goes, safety is not an event. It’s a journey, a process. To help organizations assess where they are on this journey and what they need to do, Forrester concludes with some advice on what to do if you are at a beginner, intermediate, or advanced level.

Beginner: Laying the foundation for product security requires updating security processes and tools to eliminate unnecessary friction for developers. Additionally, an assessment of the budget, skills, and tools you have available will enable your security team to collaborate effectively with product teams at all stages of the product lifecycle.

Intermediate: At this level, the focus should be on investments in automation and metrics. Select automated and integrated tools carefully and introduce them gradually. Then, use metrics to measure their effectiveness. And make sure your product safety initiatives span the entire product lifecycle, whether it’s new or updated products.

Advanced: At this point, your organization can turn product security features into revenue growth. But these features won’t deliver a competitive advantage if no one knows about them, so now is the time to engage with other business leaders to build a market awareness strategy.

Forrester: Assess the Maturity of Your Product Security Program |  Synopsis

Ryan H. Bowman