Free AI web copilot to create summaries, insights and extended knowledge, download it at here

Abstract

ource=link-attribution&utm_medium=referral&utm_campaign=image&utm_content=5142940">Pixabay</a></figcaption></figure><h2 id="73ff">Find your “Security Champions” throughout your organization and enable them with the actual resources they need</h2><p id="fca4">The most important resource to building an application security posture is the <b>people</b> who build your applications daily. Each time a feature change is made to an application, there is a <b>moment of opportunity</b> to support the team using the security tools and processes.</p><p id="bd36">If the application team does not know the process or tools to implement the proper security controls, this data is forever lost, and your application security posture is less accurate.</p><p id="ae49">If the application team knows the process, has access to the tools, and there is not too much friction, then they will implement security. With developer-driven implementations, you can build an enterprise application security posture.</p><p id="2590">Cultivating security champions distributed throughout your organization is the most reliable way to reach developers with accurate information and examples. Security champions know the process and the tools. They single-handedly reduce friction to implementation.</p><p id="2275">However, your security champions need resources. This cannot be forgotten. They need access to the tools your organization uses. Security champions need training on the latest updates and best practices. With this support, organizations will be able to communicate with developers and provide them with the best practices they desperately want.</p><h2 id="ea2c">Document your enterprise deployment process with application teams driving the process</h2><p id="7692">The process that an enterprise uses to <b>deploy code</b> into runtime environments is one of the <b>most critical and vulnerable processes</b> an engineering team uses. This process is used daily to deploy changes to applications that directly support customers.</p><p id="f547">Not surprisingly, in today’s larger enterprises, multiple languages and runtimes need to be supported to meet development teams’ business requirements. There will be no single deployment tool or tech stack that will satisfy all of development’s needs. When this happens, we’re all out of a job, and we should welcome our robot overlords.</p><p id="34a4">All this complexity could mean that it’s impossible to build an application security posture to monitor risk across the entire development process and application portfolio. If this is your posture, I suggest we realign it. It’s our job to look for locations where we can measure security throughout the process. <b>Security teams must “Shift Everywhere” to monitor your application security posture.</b></p><figure id="aaf2"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*uiD9xNSbfCh3oRC9XapIVQ.png"><figcaption></figcaption></figure><p id="b379">I have one spot I really like to focus on. It is the centralized source code repository. This is the one single location where security has access to all of the application code. Here, we can continuously monitor and look for immediate vulnerabilities and provide feedback to developers. Automating the vulnerability remediation, or at least reducing the complexity, gives the developer the feedback

Options

and improvement necessary to reduce the risk for the enterprise. In addition, because it’s automated, you get to monitor risk as part of an application security posture.</p><h2 id="aead">Make your application’s key risk indicators transparent throughout the enterprise.</h2><p id="39b4">It is not enough to capture data and measure key risk indicators. To establish consistency, you must make the results of the KRIs you capture transparent across the organization. This is not meant to create animosity amongst business units or application teams. Just like in most DevOps cultures, it’s imperative to have a judgment-free arena to make mistakes and learn. Transparent KRIs can be just that.</p><p id="b79c">Truthfully, this can be implemented to the opposite effect. One of the jobs of a product manager of cybersecurity is to set the tone of how KRI’s are seen and used throughout the organization. KRI’s are the first indicators. They are not tied to bonuses. An organization needs an accurate measurement of risk, not one impeded by financial incentives.</p><h2 id="5f4f">Final Note on Enterprise Application Security Posture, Level 3</h2><figure id="5c38"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*bxKFgeYl2wqA4EbHRVRRPg.png"><figcaption></figcaption></figure><p id="53fd">It is securities job to protect the application by placing controls on what application teams need to do to deploy into an operations environment. <b>If security creates friction without value, developers will be inconsistent in following security policies</b>. How security creates developer value has to be more than reducing risk to the enterprise. It must also provide developers feedback.</p><p id="6e7e">An application security posture is vitally important. All of the development teams must contribute. The process must be automated. The results must be transparent and free of tampering. With all this in place, the key risk indicators should represent an actionable, valuable, and transparent metric to your application portfolio risk.</p><p id="bb66">Can a product monitor your application security posture? Yes, it can. But without the people, processes, and technologies in place to ensure the collection of your data is complete and accurate, it will be impossible to use the results to drive better business decisions that provide value to your customer.</p><h2 id="7bb0">Learn More</h2><p id="c6cf"><a href="https://readmedium.com/enterprise-application-security-posture-6df467c6417c?sk=342689dce123eae52b868af0f2d2f34a">Enterprise Application Security Posture</a></p><p id="c102"><a href="https://readmedium.com/enterprise-application-security-posture-level-1-foundation-8aea9da85153?sk=35ee3d581890adac99ecf2bddbbcf383">Enterprise Application Security Posture — Level 1</a></p><p id="dcb4"><a href="https://readmedium.com/enterprise-application-security-posture-level-2-f6119c742f54?sk=d82281aea557998e603ba7724d9b6da8">Enterprise Application Security Posture — Level 2</a></p><h2 id="2d42">If you are interested in continuing to learn with me, then please consider following me on Medium.</h2><p id="4c18"><a href="https://readmedium.com/evolving-your-enterprise-application-security-posture-boss-level-8f8d95fe0e0e"><b>Continue to Part 5</b></a> of the series Application Security Posture as a Product Manager in Cybersecurity</p></article></body>

Enterprise Application Security Posture, Level 3

Establishing a Centralized Enterprise Application Security Posture

Part 4 of the series Application Security Posture as a Product Manager in Cybersecurity. Links to Part 1, Part 2, Part 3. Please support me by following me on Medium.

Herding cats is easier than collecting data in an enterprise. Application teams are focused on delivering customer value. Security teams are multi-tasking among incidents, prevention activities, and monitoring a continuously changing threat landscape. With all these competing priorities, executives find it hard to get the right data to make good decisions. We all try to base our decisions on data, but in reality, we are not always looking at the complete environment. We have a bias to make a decision based on our personal values and then find data as evidence.

*Enterprise Application Security Posture*

Assuming that you have laid a foundation and engaged partners throughout your enterprise, you can now bring everything together in a centralized application security posture. With an application security posture, you have a view of all the data associated with your application portfolio. You will be able to drive decisions with both your values and the data at hand.

Three more Initiatives I use to build a centralized application security posture:

Find your “Security Champions” throughout your organization and provide them with the actual resources they need.
Document your enterprise deployment process with application teams driving the process.
Make your application’s key risk indicators transparent throughout the enterprise.

Find your “Security Champions” throughout your organization and enable them with the actual resources they need

The most important resource to building an application security posture is the people who build your applications daily. Each time a feature change is made to an application, there is a moment of opportunity to support the team using the security tools and processes.

If the application team does not know the process or tools to implement the proper security controls, this data is forever lost, and your application security posture is less accurate.

If the application team knows the process, has access to the tools, and there is not too much friction, then they will implement security. With developer-driven implementations, you can build an enterprise application security posture.

Cultivating security champions distributed throughout your organization is the most reliable way to reach developers with accurate information and examples. Security champions know the process and the tools. They single-handedly reduce friction to implementation.

However, your security champions need resources. This cannot be forgotten. They need access to the tools your organization uses. Security champions need training on the latest updates and best practices. With this support, organizations will be able to communicate with developers and provide them with the best practices they desperately want.

Document your enterprise deployment process with application teams driving the process

The process that an enterprise uses to deploy code into runtime environments is one of the most critical and vulnerable processes an engineering team uses. This process is used daily to deploy changes to applications that directly support customers.

Not surprisingly, in today’s larger enterprises, multiple languages and runtimes need to be supported to meet development teams’ business requirements. There will be no single deployment tool or tech stack that will satisfy all of development’s needs. When this happens, we’re all out of a job, and we should welcome our robot overlords.

All this complexity could mean that it’s impossible to build an application security posture to monitor risk across the entire development process and application portfolio. If this is your posture, I suggest we realign it. It’s our job to look for locations where we can measure security throughout the process. Security teams must “Shift Everywhere” to monitor your application security posture.

I have one spot I really like to focus on. It is the centralized source code repository. This is the one single location where security has access to all of the application code. Here, we can continuously monitor and look for immediate vulnerabilities and provide feedback to developers. Automating the vulnerability remediation, or at least reducing the complexity, gives the developer the feedback and improvement necessary to reduce the risk for the enterprise. In addition, because it’s automated, you get to monitor risk as part of an application security posture.

Make your application’s key risk indicators transparent throughout the enterprise.

It is not enough to capture data and measure key risk indicators. To establish consistency, you must make the results of the KRIs you capture transparent across the organization. This is not meant to create animosity amongst business units or application teams. Just like in most DevOps cultures, it’s imperative to have a judgment-free arena to make mistakes and learn. Transparent KRIs can be just that.

Truthfully, this can be implemented to the opposite effect. One of the jobs of a product manager of cybersecurity is to set the tone of how KRI’s are seen and used throughout the organization. KRI’s are the first indicators. They are not tied to bonuses. An organization needs an accurate measurement of risk, not one impeded by financial incentives.

Final Note on Enterprise Application Security Posture, Level 3

It is securities job to protect the application by placing controls on what application teams need to do to deploy into an operations environment. If security creates friction without value, developers will be inconsistent in following security policies. How security creates developer value has to be more than reducing risk to the enterprise. It must also provide developers feedback.

An application security posture is vitally important. All of the development teams must contribute. The process must be automated. The results must be transparent and free of tampering. With all this in place, the key risk indicators should represent an actionable, valuable, and transparent metric to your application portfolio risk.

Can a product monitor your application security posture? Yes, it can. But without the people, processes, and technologies in place to ensure the collection of your data is complete and accurate, it will be impossible to use the results to drive better business decisions that provide value to your customer.

Learn More

Enterprise Application Security Posture

Enterprise Application Security Posture — Level 1

Enterprise Application Security Posture — Level 2

If you are interested in continuing to learn with me, then please consider following me on Medium.

Continue to Part 5 of the series Application Security Posture as a Product Manager in Cybersecurity