The best software security strategy is the one that fits your business. Learn the 5 steps to creating a software security initiative on a solid foundation.
This year you tested 46 web applications, 19 mobile apps, and 20 client-server apps. You purchased a new application security testing tool, and you found 112 vulnerabilities. You’re feeling pretty good.
But before you get too excited, ask yourself this:
If you aren’t sure of the answers to these questions, you may have a software security testing plan, but you don’t have a software security strategy.
If you’ve invested in application security testing already, then you’re on the right track to lowering risk. Now, however, it’s time to take it to the next level: Turn your application security activities from a cost center to a competitive advantage for your organization by creating a software security initiative (SSI).
In a word, no.
In case studies and white papers, we regularly see application security testing presented as the de facto software security technique—a kind of magic bullet organizations use to show they take security seriously.
Application security testing is a critical and necessary component of every security program. However, “penetrate and patch” application testing alone is not a security strategy at all. Application security testing is a starting block, not the finish line.
The most effective software security initiative is fine-tuned to fit your organization and built to scale around your staff, processes, and software portfolio. It helps you “show your work” by providing a clear and understandable methodology for reducing risk and explaining how you’ve made investment decisions.
We believe the best way to set a solid foundation for a software security initiative (or revive a moldy one) is a five-pronged approach:
Each software security initiative reflects its parent organization’s structure and culture. While some firms centralize management, others federate. Some rely on outsourcing, while others hire new staff. Some rely on managed services, and others grow their internal technical teams. What’s best for your firm?