A Software Security Checklist Based on the Most Effective AppSec Programs

Chris Wysopal from Veracode and Chris Eng worked with Dave Gruber, Senior Analyst in the Enterprise Strategy Group (ESG), and Graham Cluley, award-winning author and podcast moderator at Black Hat USA, on a new ESG research report on the safety of modern application development. The research is based on a survey of nearly 400 developers and security experts who examined the dynamics between roles, their trigger points, the understanding of security teams for modern development and the purchasing intentions of application security teams (AppSec).

Stakeholders reviewed the data, which led to a wider discussion about AppSec best practices and what organizations can do to mature their programs. The best practices presented in the presentation are presented here in the form of a user-friendly checklist and supporting data from the ESG report.

Application security monitoring is strongly integrated in the CI/CD tool chain.

In the ESG survey, 43% of companies agreed that DevOps integration is the most important way to improve AppSec software, but only 56% reported using a highly integrated set of safeguards throughout the DevOps process. The integration of security into the CI/CD Toolkit not only makes it easier for developers to run AppSec tests, but also enables companies to detect security issues faster, reducing deployment time.

Best practices in application security are formally documented.

For the AppSec program to be successful, everyone needs to be on the same page with best practices. The CISG should facilitate the formal documentation of AppSec best practices. Developers and safety experts can refer to this list and make decisions with it.

Safety training courses for applications are included in the current safety training programme.

Developers are increasingly required to implement security measures, including writing protected code and fixing vulnerabilities. Most developers don’t get security code courses at university, so it’s up to organizations to provide security training. But according to the survey, more than 20% of the organizations only offer training if the developers join the team.

Developers should have a variety of opportunities to learn in their free time throughout the year, including virtual or hands-on programs such as Veracode Security Labs. Chris Vysopal emphasized the importance of human contact points in the training of developers. If someone checks the developers to make sure they’re qualified, they’ll probably take it more seriously. Let’s take a look at the security masters program. Security advocates are developers who want to learn about security. If you have at least one safety champion in every Scrum team, that person can make sure his or her colleagues are up to date with the latest safety training and best practices.

Ongoing safety training for proponents includes formal training programmes in which a high percentage of proponents participate.

Recreational safety training is a great way for developers to learn in their spare time. However, it is also important to provide formal safety training with a fixed end date and competency assessment. Without formal security training, developers may not be able to acquire the skills needed to write secure code and fix vulnerabilities. This can result in a slower and more expensive deployment due to changes or vulnerable code.

According to the survey, 35% of respondents indicate that less than half of their developmental groups are involved in formal education. And only 15% said that all their developers were involved. Less than half of them require their developers to receive formal training more than once a year.

Development Managers are responsible for disseminating best practices to developers.

Developers depend on the information they receive from their development managers. Development managers should follow the documented AppSec best practices and communicate these to the developers.

Safety issues are monitored by individual development teams.

Forty-two percent of organizations responded that they monitor the implementation of security issues for individual development teams. This number should be much higher, because if you don’t detect the security issues entered by each team, they can make the same mistake several times. By monitoring security issues, you can focus your efforts on improving the teams and individuals that cause the most problems.

Monitor the AppSec programme using formal processes and measures to ensure continuous improvement of the programme.

You must have a formal process to regularly measure your AppSec program based on statistics. With the right indicators you can identify areas where your AppSec program works well and areas that can be improved. This data can also be used to show management or stakeholders whether their investment in AppSec is generating the right return on investment (ROI).

Individual development teams monitor for measures to ensure continuous improvement.

Just as you need to verify that safety issues are being implemented by individual development teams, you also need to verify that development teams are continuously improving. When you contact teams or individuals about safety issues, you should expect them to take steps to ensure that the same error does not recur. The measures can be used to demonstrate that teams are actively working on improvements.

Monitor security issues during code development.

If the code is not linked to security issues during the development phase and a vulnerability is only identified later in the software development lifecycle (SDLC), repairing it can be time consuming and costly. You can follow the code with a tool like Veracode IDE Scan. The IDE scan shows a real-time preview of the code and offers correction methods. ツ?

Automated risk aggregation tools for taking risks to inform senior management about development issues.

Development managers must be fully aware of the risks and vulnerabilities of applications. Consider the use of automated risk aggregation tools to effectively inform managers.


To make sure your organization follows best practices, download the print-ready Software Security Checklist: 10 Elements of an Effective AppSec Program.

*** This is a syndicated network of security bloggers from the Application Security Research, News, Education Blog, sponsored by [email protected] (hgoslin). The original message can be found at https://www.veracode.com/blog/intro-appsec/software-security-checklist-based-most-effective-appsec-programs.

Related Tags:

application security checklist xls,application security checklist, nist,medium application security,application security best practices checklist,application security assessment questionnaire,application security best practices owasp,how to secure your host computer,how to keep applications secure,web application security best practices owasp,web application security best practices pdf,owasp standards,owasp cheat sheet,owasp top 10 2019 pdf,owasp testing guide,owasp top 10 2019 ppt,owasp tools,application security examples,application security pdf,application security best practices,what is designing in security,application security controls,explain cloud security,what is appsec,github security training,security tools list github,awesome-web security github,awesome-bug bounty github,github awesome siem,web application security standards,nist web application security checklist,software security requirements checklist,secure application design,owasp security by design principles,security requirements analysis,software security best practices,software security assessment checklist,application security checklist template,application security requirements checklist