Building and Scaling Your AppSec Program: 6 Essential Steps

Building and scaling an AppSec program needs to be a priority if you develop software in your business. As software becomes more interconnected due to open-source libraries, APIs, microservices, cloud-native architectures, and more, the risks and complexities of securing expanding attack surfaces grow too. Application Security Posture Management (ASPM) provides a key solution to manage these complexities and successfully build and scale an AppSec Program. As Gartner predicts, “By 2026, over 40% of organizations developing proprietary applications will adopt ASPM to more rapidly identify and resolve application security issues.”

If you want to know how to build and scale an AppSec Program within your organization, here are the steps you’ll need to follow.
‍

Identify all relevant stakeholders

Q: Who should be involved in building the right AppSec program for your organization?

A: CTO, CISO, leaders, and team members.

To build the right AppSec program that the team will adopt and continue to use, you need all stakeholders involved from the outset. It’s not enough for leadership to come in with a mandate and a vision of an end state. You need to get your frontline workers onboard and involved in the initial decision-making process. Of course, across a team of hundreds of developers, it’s not practical to involve everyone. Choosing the right team members to represent your developers in the decision-making process should be a key activity.
‍

Assemble the right planning and implementation team

Who will be responsible for drawing up the AppSec program itself? While it’s easier to identify which stakeholders are necessary for consultation, the planning and implementation team will be smaller. Typically, there will be a mixed team of security and development: a security leader, a project manager, plus other security champion stakeholders with the time to dedicate to the project. Many organizations choose to bring in consultants to work alongside the team to ensure the right AppSec program is being built. This is particularly valuable when there is a lack of experience in setting up a new AppSec program within a team. It’s always better to have an expert or two on board for guidance.
‍

Develop a strategic plan

“As application security professionals, we want to minimize the risk of scary apps and then try to bring everything across the board up to a higher security posture.” - Tanya Janca

Once the team is assembled, it’s time to develop a strategic plan and a roadmap for the program rollout. This will require deep planning experience in related projects, and the team will need to decide whether they will follow one particular AppSec methodology, a combination of different methodologies, or develop their own. A good start for businesses fresh to AppSec is the OWASP Top 10. There is even a guide titled How to Start an AppSec Program with the OWASP Top 10 that organizations can follow to get started. The AppSec Program team should have in place a plan for reaching a certain level of maturity, but then further ideation for the next level of maturity beyond that.
‍

Pick tools to fit your process - not the other way around

“86% of organizations agree that security tools are interchangeable, it’s the process that’s most important” - State of Application Security Report 2023, The Purple Book Community

While tooling shouldn’t be the main focus of AppSec, there is no doubt that it is a critical component. Some organizations will aim for a high number of open-source tools, while others take up a mix of solutions. With tooling, it’s important that the toolchain is coordinated and managed to ensure coverage while avoiding overwhelming alerts that frustrate developers. Tools like ArmorCode can help with scan orchestration, prioritization, and workflow automation so that developers can get on with their jobs while the codebase stays secure.
‍

Select a team and project for the first launch

Rolling out a new AppSec program across the entire organization at once is a recipe for disaster. Instead, you should start with a small, security-conscious development team within the organization, preferably one that is ready to start a brand-new project. By running through the new AppSec program with this trial team and project, you’ll be able to capture lessons learned, and feedback from the developers, and build in any bits and pieces you may have overlooked. 
‍

Refine and deploy across the organization

After refining the AppSec program, it can be rolled out in stages in teams across the organization, depending on the size of your business. Organizations should have a training package ready to go for teams to follow. The rollout itself will typically occur by department or work area, or even teams working on the same project. It is important to be patient as some teams will pick up the new processes and tools faster than others. Once the new program is in place, the AppSec program team will be able to start planning for the organization to reach the next level of AppSec maturity.

ArmorCode solutions are designed to help organizations with in-house software development become more mature in their AppSec programs. If you are looking to build or scale your AppSec program, reach out to learn how we can help.

‍