Chapter 15. Beyond Barriers: Navigating the Path to a Successful AppSec Program
Yabing Wang
I started my career as a Java developer and switched to security after five years. In my 20+ years of cybersecurity, I’ve run several successful application security assurance programs (ASAPs). Here are some lessons learned that may give you some insights.
What Are the Core Components of the AppSec Program?
As with other successful programs, the AppSec program should consist of people, processes, and technology:
- Introduce an SSDLC process.
-
Develop, publish, and communicate a policy or standard on this process. This is a proactive step toward bolstering the overall security posture of your software development practices. This structured approach integrates security considerations seamlessly throughout the software development life cycle, ensuring that security is not an afterthought but an inherent part of the entire process.
- Evaluate threat modeling.
-
Threat modeling is a step that can guide the architecture and the security controls implemented. However, it could become cumbersome, especially in big companies with traditional waterfall processes. You may want to test it out, automate it, and determine if this may work in your company or find another way, such as security reviews, to accommodate this.
- Include automated testing capabilities.
-
Based on your company’s situation, you ...
Get 97 Things Every Application Security Professional Should Know now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
