Three priorities every AppSec leader should be focused on


The challenges faced by AppSec managers in the current digital landscape are numerous and ever-growing. However, we’d be willing to bet that every challenge you’re facing has been staring another weary AppSec manager in the face. An AppSec manager desperately trying to get their organization to understand that security is everybody’s problem - that it should be staking out the number one spot on everyone’s strategic priority list.

The current state of application security

According to Verizon’s 2020 Data Breach Investigations Report, 43% of security breaches involved web application attacks. This was a 50% growth rate compared with the previous year. The increased complexity of applications, and the additional security challenges this can raise, means that your security measures always need to be one step ahead. 

ISACA’s State of Cybersecurity 2020 report stated that 57% of organizations currently have unfilled cybersecurity positions. Skill-shortages, high-cost manual testing, and continually expanding application portfolios, present further challenges to successful AppSec scaling.

We all know that customers want better products, and they want them delivered faster. But how can you make this happen when security is slowing things down and needs more investment?

Embrace a shift toward DevSecOps

Release velocity is increasing exponentially. Your customers are screaming for everything to be faster, more reliable, and available yesterday. There is no leniency for a business that lets security testing become a bottleneck. 

Sonatype’s most recent DevSecOps Community Survey showed that 52% of developers know that application security is important, but do not have the time to spend on it. Fragile, instrumented AppSec approaches no longer cut the mustard. Development teams are already embracing agile workflows, and application security needs to follow suit to work with them.

GitLab’s 2020 DevSecOps report states that 53% of respondents feel that at some level, their efforts to fix bugs are slowed by red tape. It’s clear that a shift needs to take place. 

Take security testing down from it’s end-of-pipeline pedestal. Start integrating it into your CI/CD pipelines. Lead your teams toward automating their routine testing. You’ll likely find that increased delivery speeds, and a heightened security focus, will follow swiftly after.

Challenge the pentesting paradigm

Harnessing automated scanning for open-goal vulnerabilities will allow your limited resource to scale further, meaning time and money spent on manual penetration testing is only applied for maximum effectiveness. 

Manual penetration testing will remain a valuable, and still integral, aspect of your security testing. The shift which needs to occur involves more effective use of pentesting. This should combat the knock-on effects of time-short, talent-rich manual testing yielding an unsustainably low ROI.

There is an effective antidote to this perpetuating risk cycle. Enterprise-enabled web application security software, with high-powered automated scanning capabilities, holds the key to scaling your limited resource. 

By embracing routine, automated scanning in this way, you’ll find that the near impossible task of shifting end-of-pipeline testing toward integrated solutions becomes much simpler.

Advocate for enablement and education

To keep your teams (and applications) agile you need to be planning three steps ahead for every process. Training, learning, and development, are key factors here. If your teams are actively aware of the latest vulnerabilities and security risks, your whole pipeline will run on a much smoother trajectory.

The ongoing skills shortage within cybersecurity is further exemplified in ISACA’s report, with 70% of organizations agreeing that fewer than half of cybersecurity applicants are well qualified.

A well-rounded security practitioner should be spending just as much time, if not more, on ensuring the ongoing security of existing applications. Ongoing security measures include ensuring that everyone in your organization is not only aware of the current threat landscape, but is adequately equipped to battle safely through it. After all, there’s no gain to be made from adding new defensive battlements onto the foundations of a crumbling castle.