In business, you’re only as good as the things that you have control over. And the only things that you can have control over are the things that you proactively measure and manage. If application security is an important part of your overall security program and your business (it should be!) then you must take the proper steps to keep things in check. But it’s not enough to simply go through the motions with what you’ve been doing with policy enforcement, requirements development, and the like. Half-hearted “best practices” have been shown not to work. You must look deeper into your application security efforts and find out what’s actually working and what’s not.

We hear all the time how important it is to integrate security into the software development lifecycle. That’s great in theory. However, in reality, talk is cheap, and security is often not integrated into the lifecycle as it should be. This is the core impediment to application security but there’s more to the story. Based on what I see in my work, there are additional things people do – or don’t do – that lead to application security challenges and ultimately failures. Here are the top ones that I come across:

  1. Development and quality assurance (QA) are often standalone functions that are not well integrated with information security initiatives or business goals.
  2. The very people who are developing and testing the software are often not at the table when security features, threat modeling, and compliance requirements are being discussed. Security staff and other business personnel are under the assumption that all needs and requirements will be met but, in many cases, people are talking past one another and missing the big stuff.
  3. Developers and QA staff are rarely encouraged to take courses, attend conferences, or seek out online content on application security. Yet, many of these professionals still struggle to understand the common vulnerabilities that create most application security risks.
  4. There’s a focus on compliance and risk management but rarely a focus on addressing application security basics and other common vulnerabilities such as those outlined in the OWASP Top 10.
  5. Business leaders often look the other way and fail to understand what’s at stake when application security does not get the proper attention. The assumption is that technical staff have everything under control.

Clearly, being able to move past stumbling blocks such as these is essential for improving both application security and overall IT resilience. It’s complicated but there is something proactive that you can do to improve your efforts. You simply sit down with your team members and other stakeholders to look at each of the areas/functions of your software development and application security efforts such as testing, training, and threat modeling and determine what you need to:

  1. Do more of
  2. Do less of
  3. Start doing
  4. Stop doing

At first, this might appear like an elementary approach to making security improvements but it’s not. This exercise is something that has been used to help turn around entire businesses that were failing and it can work for application security as well. If you sit down and are brutally honest with yourself in terms of the things that are working well and not so well, you should be able to come up with several actionable items for each of these four areas. Once you do, you can prioritize each item and then set specific goals for attaining them.

There’s a saying that if you keep doing what you’ve always done, you’re going to keep getting what you’ve always gotten. With security, there’s always more. There’s always room for improvement. Making big improvements is not going to require massive efforts. Taking a simple approach and reviewing what you’re doing so that you can determine your focal areas is all you need to get started. A relatively simple one or two-hour exercise such as this may be all that you need to get to that next level of application security and stay out of trouble.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.