Let’s say you tested 46 web applications, 19 mobile apps, and 20 client-server apps this year alone. You also purchased a new application security testing tool in the process. You found 112 vulnerabilities and all-in-all you’re feeling pretty good.
But before you get too excited, ask yourself a few questions:
If you’re not sure what the answers are to these questions, you may have a software security testing plan, but you don’t have a software security strategy in place.
Maybe you’ve already made an investment in application security testing. If that’s the case, you’re on the right track to lowering risk. However, now it’s time to take it to the next level. Turn your application security activities from a cost center to a competitive advantage for your organization. Do so by creating a software security initiative (SSI).
In a word, no.
It’s quite common for application security testing to stand as the de facto software security technique in firms. Application security testing is commonly thought of as a magic bullet that organizations use to prove they take security seriously.
It is indeed a critical and necessary component of a security program. However, ‘penetrate and patch’ testing isn’t a strategy at all. Instead, it’s only a starting block.
There’s no one-size-fits-all security strategy. The most effective initiatives are fine-tuned to fit an organization and build it to scale around staff, processes, and the specific software portfolio at hand. The best foundation to kick off an SSI (or to revive a moldy one) is with these five elements:
Build. To set the best foundation for your SSI, you’ll need to identify key pieces of information to establish your priorities, a governance structure, policies, training, and tools that build security into development cycles.
Measure. When you set objectives for your SSI, tie them to underlying business goals. This way, when you share results, you’ll be able to show how the SSI is fundamentally changing the way your organization operates.
Verify. Once policies and measurement are in place, it’s time to set up checkpoints to verify whether the activities and requirements set forth in your SSI are being completed and are having a satisfactory impact.
Improve. Setting up an SSI isn’t a one-time activity. As you work with the initial SSI structure, you’ll find areas for improvement. Remember, attackers improve everyday as new tools and techniques become available. You should as well.
Manage. As the person at the helm, it’s your job to ensure the ship stays the course. To maintain structure and give you insight into each activity, establish a robust project management system that is responsive to your goals.
Each SSI reflects its parent organization’s structure and culture. While some firms centralize management, others federate. Some rely on outsourcing, while others hire new staff. Some rely on managed services, and others grow their internal technical teams. What’s best for your firm?