SnykCon recap: Building a developer-focused AppSec program

Building an application security program can be overwhelming. The steady stream of content encouraging teams to shift left is inspiring, but it doesn’t help you get started. Looking toward organizations with mature AppSec initiatives can make the gap seem insurmountable — all while an actionable plan remains elusive. Like anything else in software development, application security is a journey. A journey that’s much more enjoyable with some guiding principles.

While last year’s SnykCon provided a wealth of AppSec tips and best practices, two talks featuring Snyk customers focused on the process of building and maintaining a culture of secure development in your organization. In one, Per Olsson (AppSec Advisor, Visma) shared the lessons he learned as a developer turned security advisor. While in the other, we joined a panel of three security experts from different industries in a discussion on how they built effective security programs from the ground up.

These talks spark discussion about navigating the stages, milestones, and challenges of a developing AppSec program — and give us a map toward a successful security culture.

Starting your AppSec program from scratch

What is AppSec?

When building a program from the ground up, it's important to understand what application security security is, as well as your specific needs. Olsson framed this well by saying, “AppSec isn't about application security at all”. Security starts with people. Everyone that makes up an organization — developers, managers, quality assurance teams, design, legal — creates the foundation for a security program. Most security incidents are a product of human error, and when schedules are tight, teams may deprioritize security in favor of features or other tasks with a clear return on investment. Therefore, the first step is to make security a priority.

Start small

A common thread across all our SnykCon experts was to start small. Far reaching security programs didn’t form overnight, and we need to avoid comparison in the early stages of development. The Visma security team started as a special interest group with a manager and several developers. Both Nicholas Vinson (Head of DevSecOps, Pearson) and

Gagan Bhatia (Head of Cyber Security Delivery, 10x Banking) encouraged PMs to embed an experienced security engineer into a small team of interested developers, who will work together to identify requirements and potential threats. It’s important to share secure coding practices with all developers and empower them to be creative in how they implement AppSec into the existing SDLC. The end goal should be a cultural shift toward secure coding, and that starts with individuals.

Release control

Finally, security has to let go of (some) control. The security team should be a guide and resource to developers — not a warden. The siloed culture that surrounds traditional security methods must be traded for transparency and cross collaboration. Every team within an organization will have different needs, goals, and delivery methods. Giving development teams actionable tools and guidance allows them to take ownership of their AppSec programs and strengthens their commitment to secure coding practices.

Refining a mature AppSec approach

Continuous improvement

Once your program is off the ground, the improvement process begins. As trust grows between the security, development, and management teams, tools and workflows can be assessed. Olsson did this by interviewing the development teams he worked with. This allowed the growing security team to increase efficiency, verify that the security plan fit the developer's needs, and locate threats that slipped through the cracks. As security tasks shift left, automation and continuous testing support our AppSec program by supplying consistent data.

Defining success

Often, growing security teams struggle to quantify their success. Unlike feature delivery, security initiatives don’t always offer immediately visible results (How do you measure all the breaches you don’t have?). And while tools supply plenty of data, contextualizing it can be a challenge. When beginning to define what makes a security program successful, it’s important to “know something we didn't know yesterday,” said Stefan Steglich (Application Security Product Manager, Skybetting & Gaming).

The ways you measure success should serve your program’s message — not the other way around. Also, be sure we celebrate early wins. Whether it’s positive feedback on the program in general, or increased interaction with our chosen security tools, it’s important to step back and recognize how far you’ve come.

Practical metrics

When it comes to practical metrics, Vinson  recommends tracking three types: design requirements, operation metrics, and security maturity assessments. Design requirements are the output from threat modeling. These metrics determine if your AppSec program is addressing all the potential risks that were identified and help discover new threats as they arise. Operational metrics are vulnerability statistics. Be it output from SAST scanning, number of fixes, etc., these metrics display vulnerability trends and help make our design requirements more accurate. Finally, a security maturity assessment gives context to the previous metrics and program as a whole. This broader assessment helps pinpoint where we are in the AppSec journey and if we’re ready to advance. Data on unmet needs, team’s capacity for security tasks, and adoption of security principles at all levels is vital for planning next steps.  

AppSec should support developers

Whether your security team is on employee number 1 or 100, the challenges are similar. Defining a security plan, developing proper metrics, and explaining all of this to our team members is an ongoing process that’s never truly complete. The tools we choose to support our developing AppSec programs play a huge role in how effective we’ll be. Programs that generalize or rely on theoretical models likely won’t fit a tailored security approach. Scanning software that provides a wealth of data can be useful to security experts, but not the developers we’re aiming to empower.

And this is why Snyk was designed with developers in mind. Our platform helps organizations secure their applications in a single platform for both security and development teams. When you can find and fix vulnerabilities as you code (in as little as five minutes), you can removed bottlenecks from your AppSec processes. Start your free trial today and see how we’re helping millions of coder’s develop fast and stay secure.