Your Best First Step in Building an Application Security Program

LAST UPDATED Nov 01, 2021

Application security is critical, and it’s complicated. To be successful, it requires security in depth – a multi-layered program involving several teams and different technologies. This program relies on a strong partnership between security and DevOps teams — good application security is built in from the first day of app design. And this takes time — and time is definitely not on your side when we’re talking about cyberattackers. Or when we’re talking about getting solutions to market on time. How do you build security in depth without leaving your organization exposed or causing production delays? 

At ThreatX, we like to refer to our solution as your best first step in building that security in depth. ThreatX gives you an immediate safe perimeter – with your systems secured from direct lines of attack via HTTP and HTTPS. Having built that perimeter, you can then take the time to conduct a full asset inventory, train your developers on defensive coding, and develop that deeper program of application security. We’re your best first step, but not the only one. Let’s take a look at some of the other steps we recommend to build out an application security program — in depth and without delay.  

Security awareness training for engineering staff 

Historically, defensive coding isn’t taught well in undergrad engineering programs. This is a skill that needs to be learned, and it’s better to do so before you’re breached rather than after the fact. Savvy organizations keep their development teams’ secure coding skills sharp by procuring and requiring ongoing secure coding training.  

Code scanning with every check-in and build 

Third-party scanning solutions can scan source or compiled object code and find vulnerabilities before they ever become exploits. The earlier this scan is completed, the better.  Waiting until you have an integration build can risk schedule delays, which is why it is better to do these scans with each check-in or private build.  

Periodic penetration testing 

These are mandatory, although they are typically done out-of-band from the SDLC. Solid security awareness training and regular scanning with each check-in will help prevent a delay from this third step. 

Perimeter security 

Sound perimeter security can help tremendously with schedule impacts. With a cloud WAAP solution, you can cleanse ingress traffic and immediately mitigate vulnerabilities. This provides valuable time to remediate issues in source code, without forcing a long delay while you roll back or hold releases on the launch pad. 

Learn more 

To get more details on how WAAP fits into an application security program, check out our recent webcast. To see ThreatX’s WAAP solution in action, sign up for a demo

Tags

About the Author

Tom Hickman

Tom has a long track record of building and scaling product delivery capabilities at mid- and growth-stage startups. He served as the VP of Engineering at Edgewise Networks, where he led engineering through early releases of Edgewise’s zero-trust micro-segmentation product. While at Veracode, a leader in AppSec, Hickman led engineering through an Agile transformation and helped the company become a true multi-faceted AppSec platform prior to its acquisition by CA Technologies in 2017. Tom holds a B.S. degree in mechanical engineering from the Georgia Institute of Technology.