Twenty years ago, Bill Gates foresaw the security threats looming as new technologies were introduced and threat actors were ramping up their efforts. He urged for including security development at every stage of the software life cycle in his company’s products. It’s a lesson developers haven’t taken to heart, as AppSec lags far behind in the development process. AppSec ends up being the responsibility of the CISO and security team, but, as a Coalfire report suggests, there is a way to turn AppSec into a best practice within the organization—establishing an AppSec champions program.
What Is an AppSec Champion?
An AppSec champion holds a cross-functional role: They are an advocate for security practices and consideration during every level of discussion, planning, development, testing and support of applications developed internally, explained Caitlin Johanson, vice president, application security at Coalfire, in an email interview.
“It is a critical role that crosses traditional organizational silos to inform and highlight the security needs and priorities of software development organizations so that security isn’t an afterthought or just a box to check,” Johanson added.
Any organization that is developing an application, software, product or tool that serves a business-critical function or handles sensitive data, whether for internal or external use, should consider creating an AppSec champion program.
“An effective application security program is one that has support and understanding from every level of a company in order to echo the importance of security processes and practices,” Johanson stated.
What to Expect From an AppSec Champion Program
According to the Coalfire report, “AppSec Champions programs typically exist in organizations with a centralized security function that is responsible for software risk and works with software development teams to increase the security of applications being built.”
What successful programs have in common are very small teams compared to the developer side (the survey found a ratio of 1:50), security teams that use AppSec champions with managerial leverage to influence change and use vulnerabilities across the life cycle as the means to measure success.
In its survey, Coalfire also found that AppSec champion programs are organic; the security team recognizes the need for governance over app security and develops a program without any type of organizational mandate. Often, it is only the CISO who gives a blessing to start the program.
Because of its hands-off nature, AppSec champion programs work best within organizations with mature security systems and that employ people who are proactive at taking the lead and with team members who are good at communicating with others. For the program to be successful, it needs staff who are willing to take charge and run with it.
Once the decision is made to start an AppSec champion program, it will take, on average, six months to get up and running.
“AppSec champions enable a reality where application security is synonymous with security,” said Johanson. “AppSec champions provide a role that advocates for the AppSec program for the organization, making sure departmental silos have a common voice, vision and goal for promoting security throughout the design and development life cycles.”
When the program is up and running, it effectively moves the application’s risk posture into alignment with the organization’s commonly understood and considered risk tolerances.
“With that,” said Johanson, “organizations can also continuously assess and adjust accordingly to meet the ever-changing risk landscape of developing applications in the modern world.”