My colleague Vishal Asthana, India regional director of Security Compass, discusses four important aspects of appsec programs:
Ponemon Institute and Security Innovation recently made public the results of a research study they did to get an idea of the state of application security across organizations.
Amongst other things, the study listed five simple CMMI levels for ASM (Application Security Maturity) which we felt are pretty apt. Development teams could do a quick reality-check to find out the level where they currently fit. Teams that are already operating at Level 5 (the highest) could vouch for the remainder of this post. Pat yourself on the back and sustain the momentum! Others, who are at lower levels currently and would like to know how to move up the ladder continuously, should incorporate all of the following aspects as an integral part of their application security programs:
- Ongoing Security Audits - Development teams that undergo security audits on a periodic basis find it easier to sustain at a minimum of Level 4. The study listed this explicitly as one of the three pillars of a secure SDLC program and we couldn’t agree more.
- Compliance Accountability - Holding the development teams accountable for compliance esp. in regards to “regulatory requirements”. This is in addition to “secure architecture standards” and “secure coding standards”. This is an excellent recommendation in the study which we strongly concur with. More often than not, development teams treat regulatory/compliance requirements as mere checklist items and don’t understand the business impact of non-compliance.
- Dedicated Security Representative - Additionally,we recommend having a dedicated representative – internal (within their team) or external (central security team or external consultants). This ‘human form of external motivation’ (not simply security tools!) makes it easier to move up the levels over time. Would like to stress that this needs to continue till Level 5 is reached. If it’s stopped at Level 4, there is a tendency for the momentum to reduce as a result of which levels would drop to 3 or 2.
- Attrition - We also recommend taking attrition into account for your team’s internal security experts by grooming more than one person (in parallel) for the role. This will prevent single point of failure in case the designated expert leaves the team or the organization.In conclusion, ‘CMMI levels for ASM’ is indeed a practical way for organizations to get started and incrementally improve their application security programs but would be more effective/SMARTer if the considerations indicated above are taken into account.
Cross-posted from the SC Labs blog.