If your company develops software then the answer is always: yes, you need an appsec program. But what is an appsec program and why do you need one?
What is an AppSec program?
Application Security or Software Security reduces inherent risks in your application by introducing security practices and implementing controls. The AppSec program drives this process and has a couple of goals.
- Determine the amount and kinds of risk present in the application.
- Help select appropriate mitigating measures to reduce or eliminate the risk.
- Validate risks are properly mitigated and in line with business expectations.
Why do I need an AppSec program?
All software presents risks to your business.
- Losing customer data in a data breach.
- Being unable to do business due to a Denial of Service.
- Harm to your reputation because of phishing or ransomware attacks.
And maybe rephrasing the question helps: Why don't you need an AppSec program? Let's go over some often-heard excuses.
We performed a pentest and solved all issues
So you do have an AppSec program! You (or you customers) wanted your application to be secure and determined a pentest was the right way to address the issue. You identified a risk and implemented a mitigation. Granted, your AppSec program is probably very ad-hoc and inefficient but at least you have one. The next step is maybe make it more official and efficient. Pentests are often not the most cost-effective mitigation technique.
We never had a security incident
Either you don't have a way to detect incidents, which is very bad, and you definitely need an AppSec program. Or you do, and you mean you never had a major incident, which might be because of your AppSec program.
Use the Secuma tools to implement an AppSec program
We've made it our mission to help companies of all sizes implement an effective AppSec program. Our tools allow you to assess your security practices, set improvement goals and track implementation progress. It will give you a concrete answer to the question: Is my software secure?
