One Article Review
| Source |  Veracode |
|---|---|
| Identifiant | 2299275 |
| Date de publication | 2021-02-05 09:59:35 (vue: 2021-02-05 16:07:04) |
| Titre | AppSec Bites Part 2: Top 3 Things to Consider When Maturing Your AppSec Programs |
| Texte |  A joint blog post from Veracode andツ?ThreadFix
When it comes to maturing an AppSec program, there are several best practices that can help you get started. In part two of our AppSec podcast series, Tim Jarrett, Director of Product Management at Veracode, and Kyle Pippin, Director of Product Management at ThreadFix, share the top 3 things they???ve learned from organizations that have successfully matured and scaled their AppSec programs.
1. Know your anchor points.
The first thing you need to think about when maturing your AppSec program is the current landscape of your organization. What are the things you can???t change? It could be that you can???t find more AppSec resources (supply and demand) or that there is no budget for additional scan types. Whatever the constraints are at your organization, you need to acknowledge them so that you can find acceptable workarounds.
2. Automate.
Next, if you are not doing so already, you need to automate as much as possible. If application security scans are automated into the developers??? existing tools and processes, there will likely be an increase in scan activity and developers will have more free time to work on securing their code and remediating flaws. Automation can also be used for other purposes, like onboarding. Since security professionals are hard to come by, they are often stretched thin for time. Because of this, security professionals can become a bottleneck when it comes to software deployments. If you automate some of their tasks, like onboarding developers in security best practices, it can free up some of their time and improve speed to market.
3. Focus on outcomes.
Last, but certainly not least, it???s important to focus not just on finding, but fixing flaws. You can help developers improve fix rates through training measures. For example, Veracode Security Labs is a great tool to help developers practice writing and remediating code in their chosen language. Implementing a security champions program is also a useful way to help make security top of mind for developers. Most developers don???t take security courses in college, so unless they are learning about security at their organization, chances are it???s not a strong skillset. If you find developers who are interested in learning more about security, you can train them to be security champions and they can take those skills back to other developers.
To learn more about the best practices for maturing your AppSec program, check out part 2 of our AppSec Bites podcast series with Threadfix. |
| Envoyé | Oui |
| Condensat | about acceptable acknowledge activity additional already also anchor andツ application appsec are automate automated automation back because become best bites blog bottleneck budget but can certainly champions chances change check chosen code college come comes consider constraints could courses current demand deployments developers director doing don example existing find finding first fix fixing flaws focus free from get great hard have help implementing important improve increase interested jarrett joint just know kyle labs landscape language last learn learned learning least like likely make management market matured maturing measures mind more most much need next not often onboarding organization organizations other out outcomes part pippin podcast points possible post practice practices processes product professionals program programs purposes rates remediating resources scaled scan scans securing security series several share since skills skillset software some speed started stretched strong successfully supply take tasks them thin thing things think those threadfix through tim time tool tools top train training two types unless used useful veracode way what whatever when who will work workarounds writing your |
| Tags | Tool |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.