How can you tell if your software security strategy is working?

The best software security strategy is the one that fits your business. Learn the 5 steps to creating a software security initiative on a solid foundation.

This year you tested 46 web applications, 19 mobile apps, and 20 client-server apps. You purchased a new application security testing tool, and you found 112 vulnerabilities. You’re feeling pretty good.

But before you get too excited, ask yourself this:

• Did you reduce your risk significantly? At all?
• Did you leave critical vulnerabilities unaddressed?
• Does your board understand the importance of what you’re doing and the impact of what you did?

If you aren’t sure of the answers to these questions, you may have a software security testing plan, but you don’t have a software security strategy.

If you’ve invested in application security testing already, then you’re on the right track to lowering risk. Now, however, it’s time to take it to the next level: Turn your application security activities from a cost center to a competitive advantage for your organization by creating a software security initiative (SSI).

But I already do application security testing. Isn’t that enough?

In a word, no.

In case studies and white papers, we regularly see application security testing presented as the de facto software security technique—a kind of magic bullet organizations use to show they take security seriously.

Application security testing is a critical and necessary component of every security program. However, “penetrate and patch” application testing alone is not a security strategy at all. Application security testing is a starting block, not the finish line.

What does an effective software security strategy look like?

The most effective software security initiative is fine-tuned to fit your organization and built to scale around your staff, processes, and software portfolio. It helps you “show your work” by providing a clear and understandable methodology for reducing risk and explaining how you’ve made investment decisions.

We believe the best way to set a solid foundation for a software security initiative (or revive a moldy one) is a five-pronged approach:

1. Build. To set the best foundation for your SSI, you’ll need to identify key pieces of information to establish your priorities, a governance structure, policies, training, and tools that build security into development cycles.
2. Measure. When you set objectives for your SSI, tie them to underlying business goals. This way, when you share results, you’ll be able to show how your software security strategy is fundamentally changing the way your organization operates.
3. Verify. Once policies and measurement are in place, it’s time to set up checkpoints to verify whether the activities and requirements set forth in your SSI are being completed and are having a satisfactory impact.
4. Improve. Setting up an SSI isn’t a one-time activity. As you work with the initial SSI structure, you’ll find areas for improvement. Remember, attackers improve everyday as new tools and techniques become available. You should as well.
5. Manage. As the person at the helm, it’s your job to ensure the ship stays the course. To maintain structure and give you insight into each activity, establish a robust project management system that is responsive to your software security strategy goals.

Summing it up

Each software security initiative reflects its parent organization’s structure and culture. While some firms centralize management, others federate. Some rely on outsourcing, while others hire new staff. Some rely on managed services, and others grow their internal technical teams. What’s best for your firm?