Application security assessments are more critical than ever before. Digital transformation is required to meet the expectations of customers in many industries, meaning that companies are looking for software products to help them modernize their operations and meet those demands. However, choosing a piece of software is an expression of trust: by bringing your software into their network, customers are looking to accomplish their goals without letting attackers in.
Customers are starting to question about software security when assessing software products and partners. Recent supply chain attacks are getting their attention. According to the latest Verizon Data Breach Investigation Report, 62% of intrusions result from supply chain security issues. If your software is the weak point, you will lose the trust of that customers as well as others in the industry who find out about the breach.
Why Your Software Security Program Needs Measurement
Your application security strategy needs more than just policies or a technical solution. You need to know what controls you have in place, verify that those controls are working, identify which controls need to be implemented or made more effective, and track your progress. Measuring your success within your application security program helps you make smarter and more impactful decisions to strengthen your security posture.
Application Security Assessment Frameworks
Fortunately, there are industry-standard ways to assess the success of a software security program. Two application security assessment frameworks are becoming industry standards: OWASP Software Assurance Maturity Model (SAMM) and Building Security in Maturity Model (BSIMM).
The building blocks of both frameworks are open, released under Creative Commons Attribution-ShareAlike licenses, giving you the ability to read, assess and adapt the frameworks and documents to your needs. However, they do differ in terms of their development. OWASP SAMM is developed by an open-source community, whereas BSIMM is developed by a private community of member companies in multiple industries.
Both OWASP SAMM and BSIMM lay out the major domains of a software security program. They organize specific activities under each of those domains and position those activities under increasing levels of maturity for a security program.
OWASP SAMM organizes an application security program into business functions (governance, design, implementation, verification, operations), identifies security practices that are critical to each of those business functions, and then maps out security activities to support each of those practices at each of three levels of maturity. BSIMM uses domains of governance, intelligence, secure software development lifecycle touchpoints and deployment. Under those domains, similar to OWASP SAMM, it maps out security practices and the activities that enact each of those practices at three levels of security maturity.
No matter which application security assessment framework you choose, using a framework like OWASP SAMM or BSIMM will help you perform several critical steps toward a software security program. It will help you identify the elements of an effective application security program, put what you are already doing in context of your application security goals, and understand what is missing from your application security program. It will also help you quantify the state of the security program, as well as the evolution, using well-understood metrics. This can help you explain the value of the program both to decision-makers within the organization as well as clients.
Addressing Gaps Revealed in an Assessment
Frameworks are excellent for helping your company find gaps in your current application security program but knowing the gaps is only part of the picture. A framework cannot provide everything necessary for addressing the gaps that you find. In addition to knowing the gaps, you need direction about the most effective way to address those gaps.
Coming up with a good plan to address the gaps identified in an application security assessment requires both a deep knowledge of application security and a detailed understanding of your business. You need to be able to identify which gaps are the most urgent to address, both in the context of the threat landscape and of your goals as a business.
When strengthening your application security program, speed should also be a consideration. Of course, speed does not mean rushing into things blindly. However, in this world of increased digital transformation, product teams want to go to market faster and clients want features added to software faster. To satisfy these demands, time is of the essence; the more quickly your company can prioritize and plan for improvements to your application security program, the better position you will be in to build more secure software and meet client demands.
In the context of both coming up with direction and strengthening a security program in a timeline that satisfies business goals and customers, working with an expert can help. Recruiting and hiring security expertise requires significant time and funding. On the other hand, working with an expert can help lift that burden.
Finding a trusted application security consultant who has experience designing security programs and building them around both business needs and security frameworks is important. Just as important is choosing a partner who has a proven track record of taking a collaborative approach with clients, since the goal will be for that partner to work closely with you to address security gaps and build maturity. With your business goals in mind, an experienced partner can help you determine your current state of security in a measurable way, prioritize security goals and initiatives, develop a plan for real security improvement, strengthen your security expertise and culture, and avoid pitfalls along the way.
Reaching Your Security Goals
Software security has to be a priority; attackers are zooming in on suppliers now more than ever. Customers know this, and they are asking the hard questions. A strong application security program is not just a differentiator; it’s a must. Using an industry-standard framework can help you make sense of your security program, but you also need to have the expertise at hand to go from assessment to meaningful prioritization and improvement.
To learn more about how to assess your application security and find out how collaborating with an expert can help you reach your security goals, contact Kroll’s cyber experts.