Layers of a Functional Application Security Program

The best AppSec and security engineering programs have come by their success by having Security Champions Programs that are aimed at embedding security ideals into the development team. 

In this episode of The Security Champions Podcast, Mike talks to Jason Haddix, the Chief Information Security Officer at BuddoBot, about best practices learned from his experience running security champion programs, the layers of application security, and how to foster collaboration between development and security teams.  

The Layers of an Application Security Program 

An effective application security program is made up of layers that work together to protect users and businesses from vulnerabilities and threats. But not all application security programs are meant to be the same – the key is to grow your program into what you need it to be. 

Secure Coding Training 

Secure coding training is your first line of defense for your application security program. This is the broadest layer of your application security program and can be the most effective for creating a safe application within your project timeline. 

By implementing secure coding training continuously in your SDLC, you can build a team that creates quality code more quickly by removing the vulnerabilities from existing in the first place. 

Read More: Managing Human Risk For Safer Applications 

Application Security Tools 

While security scanning tools and pen testers are valuable components of a robust security strategy, they are meant to catch mistakes – not prevent them. 

They have inherent limitations that make them inadequate as the sole defense mechanism:  

• Reactive Approach - Scanning tools and pen testers are deployed after the code is written, making them a reactive measure.  
• False Sense of Security - Relying solely on safety nets can create a false sense of security within the organization.  
• Time-Consuming Remediation - Addressing security flaws discovered through scanning tools and pen testers can delay software releases. 

Read More: The Importance of Secure Code Training: Building a Strong First Line of Defense 

Security Champions 

Your security champions are one of the more powerful layers of an application security program. 

Your security champions can help reduce the lift of the pipeline. Security-conscious people will be able to work cross-functionally to help build the safety rails within your development lifecycle that will lead to an overall safer development process.  

Here are other ways security champions can benefit your applications security program: 

• Proactive Security - Developers become empowered to integrate security principles throughout the development lifecycle, significantly reducing the introduction of vulnerabilities in the first place.  
• Early Detection and Mitigation - By imparting knowledge about common vulnerabilities and attack vectors, secure code training enables developers to detect and fix security issues during development. 
• Competitiveness and Customer Trust - In an era where cybersecurity incidents frequently make headlines, customers increasingly demand secure software.  

Read More: How Security Champions Help Improve Application Security 

Bringing Development & Security Teams Together 

It’s all too common for organizations to work in silos – the development team creates and delivers code. In contrast, the security team handles any security incidents internally and returns action items to the development team. 

Until there is a security breach, organizations look at their internal processes and see they need to bridge the divide between development and security teams. 

You can change the security culture of your entire organization through small changes that focus on the three C’s: 

• Communicate – Bring both teams on the same page with unified learning paths so all members of the SDLC can understand basic security concepts.  
• Collaborate - Work across teams to understand each other's goals and challenges.  
• Create Safe Apps - Building a strong culture of security takes time and continuous communication and collaboration. 

Building an Application Security Program that is Right for Your Team 

To learn more about security champion programs and other AppSec topics, please subscribe to "The Security Champions Podcast" by Security Journey.