This chapter will discuss application security programs, which are the formalization of AppSec activities as part of your System Development Life Cycle (SDLC). An AppSec program is not a piece of software; it's a set of related activities with a particular long-term aim.

In this case our aim is to ensure that the software we are creating and maintaining is secure. We aim for this to reduce the risk for our organization, as well as those we serve (customers, employees, citizens, etc.). We strive to protect and preserve the confidentiality, integrity, and availability of the systems and data in our care.

We create formal application security programs to improve our security posture, to ensure all of our applications are defended (not just some), and to be able to prove to others we have done our best to protect our organization. Without a formal program we can't be sure we are reliably producing software that is safe to put on the internet, and we would have little to defend ourselves if a large breach happens at our workplace.

A program is the activities we do: performing threat modeling on every new design, reviewing all pull requests for security issues, adding security checks to our pipeline, etc. The idea of a program is that the activities are formalized; they are officially a part of the way your organization builds software. No one can “skip” a security step in the SDLC, because the activities are mandated.

APPLICATION SECURITY PROGRAM REQUIREMENTS ...