AppSec Strategy: The Maturity Continuum
Last May, I was asked to speak at particular national Financial Services roundtable on the topic of application security. While I knew that these CSO’s and Security Directors were no newcomers to the concept of application security, I also knew that they were wanting to know what I’ve been seeing in the industry. So this time, instead of speaking on current attacks and risks, I took a step back and discussed the solution with regard to maturity. The talk focused on how mature organizations are in their approach to managing application security, and how this maturity directly affects their ability to keep up with the evolving application security threatscape.
Today’s podcast provides a brief summary of this talk by running through the three general stages of maturity that organizations can roughly be grouped into:
- Stage 1: Doing Nothing
- Stage 2: Reactive and Tactical
- Stage 3: Proactive and Strategic
Today, it seems that many organizations fit into the Stage 2 group. Some are at this stage because there just learning about how important application security is. Others are quite knowledgeable about the topic, have conducted numerous assessments, and continue to stay on top of the major risks — but they’re still stuck at stage 2.
In this podcast, I’ll summarize these three stages, discuss the difficulties and pitfalls of operating like a stage 2 organization, and end with some pointers on what it takes to get ahead of the game and operate as a stage 3 organization. During the discussion, I’ll also talk about building security into the development process (SDLC), and mention how important developer education, threat modeling, and documented best practices are to achieving truly effective application security.
Also, if you’re interested in seeing the full version of the App Sec Maturity Continuum presentation, it is available on-line as an on-demand Webcast from the Security PS website.
Kris Drent
