3 Key steps to establish a successful AppSec Program at organizations

By Shabir Bhat


Enterprises in today’s digital era are actively embracing cloud-native approaches triggering a transformative shift in the application development landscape.  This change has prompted organizations to reimagine the applications and redefine their composition, development methodologies, packaging, and even deployment strategies.  However, cybercriminals are getting very sophisticated too, and along with threats multiplying rapidly and constantly evolving, enterprises are compelled to build a robust AppSec program to secure their valuable digital assets.


As per findings from the Global CISO Survey: The Growing Impact of AppSec on Business, an overwhelming 77% of Chief Information Security Officers (CISOs) say that a minimum of 50% of their organization’s revenue relies on applications they are responsible for protecting.  Furthermore, Checkmarx’s Global Pulse on AppSec Report 2023 reports 86% of organizations have opted to deploy code with known vulnerabilities into production to meet pressing business or feature-related deadlines; and according to its 2024 Future of AppSec report, the number increased to 91%.Alarming as well, the lobal Pulse on AppSec Report 2023 reported 78% of organizations have encountered at least one security breach in the previous year attributed to vulnerabilities within their developed applications; and in  These statistics suggest the significant risks involved, highlighting the critical importance of fortifying application security (AppSec) measures in the face of increased threats and potential repercussions.


Securing enterprise applications includes extending robust security measures from code to the cloud. The concept of bringing AppSec to every stage in the Software Development Life Cycle (SDLC) is critical to maximizing security outcomes.

This inclusive approach covers secure code development, continuous developer training, robust API security, secrets exposure prevention, and early vulnerability identification using Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tools.  It also includes runtime analysis with Dynamic Application Security Testing (DAST), container security, and Infrastructure as Code (IoC) security during deployment. Embedding these practices at every stage secures applications against a range of threats, promoting a proactive and resilient security posture.


Steps to build a Successful AppSec Program include,


For any organization to develop a successful AppSec Program, benchmarking is the fundamental step.  The investment of time and resources can be justified through the implementation of an industry-standard framework, which comprises five dimensions.  First, Strategy & Governance involves establishing a clear vision, objectives, and governance structure which ensures security initiatives align with organizational objectives. Moving forward, Tactical Security Testing focuses on the identification and remediation of immediate vulnerabilities, Operational Security Testing ensures ongoing assessment and validation of security controls, and Architecture & Scale Testing helps to evaluate the scalability and efficiency of security measures.  Lastly, an effective Planning dimension provides a roadmap and strategic approach to the prioritization and allocation of resources, while ensuring the security initiatives are aligned with organizational goals.


Gap Analysis

It is crucial to assess the current state of security posture to understand the existing vulnerabilities, strengths, and potential risks and lay down the groundwork.  Following this, it is important to identify immediate actions that cause a positive impact and strengthen security in record time.  Assessment outcomes and industry-standard frameworks help in justifying investments in security enhancements and measuring them. However, the involvement of all stakeholders and their roles should be taken into consideration.  More importantly, by evaluating the associated costs, organizations can make informed decisions about resource allocation as well as budget considerations.


Close the Gaps

Implement agile methodologies to close the gaps.  Break down the work into manageable chunks that seamlessly align with the workflow of developers. An effective strategy to close the gaps includes risk ranking the organization’s business application inventory where the critical areas that need immediate attention are prioritized.  Another strategy is the optimization of presets for targeted scanning that enables streamlining the security testing process.  Onboarding applications in a structured manner ensures a systematic and organized integration of security measures.  Automation and integration ensure continuous security testing, providing real-time insights into potential vulnerabilities.  It is equally crucial to educate stakeholders about AppSec, thereby establishing awareness and understanding of the importance of security measures within the organization’s applications.


This holistic approach, which includes both agile methodologies and strategic initiatives, establishes a robust foundation for enhancing the security posture of an organization’s applications.


(The author is Shabir Bhat, Regional Director, India, Middle East & Africa, Checkmarx India Technology Services Private Limited, and the views expressed in this article are his own)