Application Security, or AppSec, is a race between your business and bad actors. 

Whether you realize it or not, people and bots are constantly attacking and probing your Internet-facing and cloud hosted applications. In fact, it’s not uncommon to hear of known vulnerabilities causing a breach before an organization has been able to patch. Taking that a step further, I recently worked with a client who’s application was hacked before my security assessment proposal could clear their purchasing team!

If AppSec is literally a race, how can you outpace the bad guys? And your competitors in business?

Executives who understand the AppSec risk faced by their organization perform frequent penetration testing at a minimum. Penetration testing, when done correctly, will give the organization a prioritized list of vulnerabilities that should be fixed, and advice on how to fix them. When performed poorly, penetration testing is a total waste.

While vulnerability identification is important, fixing known issues likely to lead to a breach is more important. And penetration testing doesn’t necessarily help an organization outpace their attackers – or their competitors. In fact, penetration testing often slows things down. Executives who come to this realization, that penetration testing is not enough and that they must “do more for security,” throw their hands up and say “we need to hire an expert.”

Defaulting to “hiring an expert” is like stopping in the middle of a marathon and walking back to your car, while your competitors trudge along to the finish line.  If you’re a product or engineering executive and you’ve reached the conclusion that you can’t do anything without hiring an application security expert, here are some points for you to consider.

  1. You don’t need to hire a full-time “security expert.” You need a software engineer who understands application security. Trying to hire a “security expert” is a trap that can cause a software development organization to waste valuable time (months, if not years), and time is a crucial security asset. Read more about making your first appsec hire. 

  2. You already have an AppSec leader on your team – you just need to find & empower them.
    The only thing stopping a development organization from starting an application security program is leadership. If leadership makes application security a priority, every organization has at least one person who understands or is inclined to learn more about application security. Find this person, and you can start making progress today. Read more about finding the application security unicorn who is already on your team.

  3. You can scale application security with a security champions program.
    Unless your organization is in a strong position to recruit and retain top application security talent, there is no need to waste time trying to build a team via new hires. You can build a Security Champions program to scale application security capabilities inside of your development organization. Outsiders and new hires don’t know as much about your applications as your engineers do. Turning your existing engineers into security champions will help you address security earlier in your development lifecycle so you can reduce risk and release code faster than your competition. Read more about building a security champions program.

There is a lot that your existing team can do to improve application security, but they need executive backing and security engineering leadership. If you can provide the executive backing, Carve Systems can provide the security engineering leadership starting immediately. There is no need to wait any longer. Contact us for more information on how to get started.