avatarDavid Matousek

Summary

The article discusses the importance of maintaining a consistent and evolving application security posture to provide business value and reduce security risks.

Abstract

The article, "Evolving your Enterprise Application Security Posture, Boss Level," emphasizes that a strong application security posture is not a final destination but a continuous journey. It outlines the practice of "Continuous Security," which involves constant monitoring, evaluation, testing, learning, and evolution of the application security posture. The author argues that security data must be accurate to prioritize vulnerabilities effectively and that the posture must demonstrate business value, either by reducing breach probability or by offering security features that set the product apart from competitors. The article also highlights the role of product management techniques in treating the application security posture as a product, ensuring it delivers value to customers, users, and executive stakeholders. By focusing on these aspects, an enterprise can not only reduce risk but also create value for its stakeholders.

Opinions

  • Bad security data can lead to an increased likelihood of breaches, emphasizing the need for accurate vulnerability prioritization.
  • An application security posture must be consistently maintained and realigned over time to remain effective.
  • The application security posture should be treated as a product, with a focus on delivering business value and customer satisfaction.
  • Continuous monitoring is crucial for measuring the application security posture at every phase of the deployment journey.
  • Continuous evaluation of security data using service level objectives helps in setting thresholds and creating meaningful tests.
  • Continuous testing should be promoted, especially when risk increases, to bring down vulnerabilities and experiment with security tests.
  • Continuous learning from experimentation and tests is essential to develop new strategies and inject them into the backlog.
  • Continuous evolution is necessary to integrate new processes and technologies that can enhance security and reduce risk.
  • The article suggests that an application security posture without demonstrated business value is not aligned with an outcome-driven culture.
  • The involvement of a product manager in security teams can help represent the customer and ensure the security posture provides value to all users and stakeholders.
  • The value of the application security posture should be quantifiable, showing direct benefits such as cost savings, resource allocation efficiency, and reduced breach incidents.

Evolving your Enterprise Application Security Posture, Boss Level

Enterprise Application Security Posture is NOT the end!

Image by Pete Linforth from Pixabay

Part 5 of the series Application Security Posture as a Product Manager in Cybersecurity. Links to Part 1, Part 2, Part 3 & Part 4. Please support me by following me on Medium.

Bad security data leads to a higher probability of a breach. Security teams only have so much time and resources. They need to prioritize vulnerabilities in their application portfolio accurately.

I began the series on application security posture by laying a foundation. Then I explored engaging deeply with our partners. Third, we built our application security posture program with security champions and transparent KRIs. We have now reached the “Boss Level,” where we face our greatest challenges, consistency, and business value.

In this article, I talk about

  1. The practice of applying “Continuous Security” in your application security posture.
  2. How application security posture provides Business Value to customers, users, and executive stakeholders.

Application security posture only works if maintained consistently over time. A security posture takes constant work and realignment. In addition to being consistent, an application security posture must be helpful by demonstrating business value. This can be a direct reduction of breach probability or a new security feature in your product that differentiates you from your competition.

Applying “Continuous Security” in your application security posture

When someone shows me the single best way to deploy code to an operational environment that works for all developers, security engineers, risk and compliance monitors, release management processes, and platform engineers, then we can have a one size fits all deployment and monitoring process. Until that day, we have to continuously look at, evaluate, and evolve both our DevSecOps process and our application security posture.

“Continuous Security” provides a framework to continuously monitor, evaluate, test, learn, and evolve our application security posture.

1) Continuous Monitoring

Continuous monitoring is the measuring of the application security posture itself. With the “Shift Everywhere” framework, we constantly monitor our entire application portfolio at every critical phase along the DevSecOps deployment journey.

2) Continuously Evaluating

Now that you have an Application Security Posture that continuously monitors your application portfolio, the next step is to use the data. Looking at the data is just as important as capturing it. One way that is commonly used to highlight the right data to look at is using service level objectives. Treating your application security posture as a product indicates that you should set thresholds. No matter if you are above or below that threshold, it’s imperative to use that information to create tests that matter.

3) Continuously Testing

When your risk increases, it’s a great time to promote items in your backlog to bring it down. When it goes down, it’s an even better time to experiment with tests that you’re unsure of the outcome. There are all sorts of helpful security tests. Pick a few and learn from the results.

4) Continuously Learning

Experimentation and tests only matter if you learn something from the results. These results should be developed into new ideas, stories, and strategies to test. They should be injected into your backlog and tried at low-risk times.

5) Continuously Evolving

To evolve continuously, we must constantly build upon our application security posture. We need to identify new processes and technologies in the industry that can enhance our application security. If new processes or technologies can provide value or reduce risk, we must consider bringing them into our application security process.

Beyond continuously evolving your application security posture, we need to show “why” we have a security posture, to begin with…

Creating Business Value with your Application Security Posture

Without value, there is no reason to build your application security posture. Security for security’s sake is not aligned with an outcome-driven culture.

I believe that treating your application security posture as a product of your cybersecurity team is the best way to continuously grow this capability.

With a product manager involved in your security teams, they can represent the customer as part of the process. Now, is this right or necessary? Absolutely! An “internal product” must provide and show value to the customer and the business.

Good product management techniques can help here as well. In addition to supporting the enterprise’s customers, the product manager should focus on all of the users of the application security posture and show value to their persona. The three persona’s that I focus on supporting are:

  1. Customers — How does monitoring your application security risk help your customer? Does decreased risk to the enterprise translate into lower costs or more resources for new feature development? If so, how much? This is a crucial metric!
  2. Users — Users come in many shapes and sizes. Typically there are developers, security engineers, architects, and security operations. These are the users that help capture data for your application security posture. How does the time and effort they spend on security help them? Does security create friction? Does security make it easier for them to release into production by capturing security evidence? How much time does automating the collection of application security posture save in remediation time? Do you make deployments easier? How many more deployments are the team able to do?
  3. Executive Stakeholders — The business owners and executives that own value streams and security capabilities need metrics to accurately make business decisions based on risk. Are they able to use your data to allocate resources accurately to reduce risk across the entire application portfolio? How much risk are they able to remove? Has the number of security breaches changed?

Final Note on Enterprise Application Security Posture, Boss Level

Enterprise Application Security Posture is NOT the end. It’s a state that requires constant monitoring, evaluation, testing, learning, and evolving. When treated as a product in your cybersecurity organization, it gets the attention it needs to show value to your customers, users, and executive stakeholders. With the right people, processes, and technologies to support your application security posture, your enterprise can reduce risk and create value for your stakeholders.

The Complete Collection

Enterprise Application Security Posture

Enterprise Application Security Posture — Level 1

Enterprise Application Security Posture — Level 2

Enterprise Application Security Posture — Level 3

Enterprise Application Security Posture — Boss Level

Follow Me On Medium

As my daughter says, if you are interested in “what-ever-this-is” and want to explore product challenges in cybersecurity with me, then please consider following me on Medium.

Cybersecurity
Application Security
Product Security
Devsecops
Security
Recommended from ReadMedium
avatarVlad Yashin
Enhancing Zero Trust Security with AI

Long-form story about how AI helps fight hackers, fraudsters & data thieves.

6 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarSeetharamugn
Complete Guide to end-to-end DevSecOps CI/CD pipeline with open sources

6 min read
avatarKostas
Telemetry on Linux vs. Windows: A Comparative Analysis

A look at how Windows and Linux manage telemetry to support incident response operations.

8 min read
avatarAkitra
Ransomware Realities: A Deep Dive into the Growing Threat Landscape

We are­ living in a digital age, and threats, espe­cially ransomware attacks, are on the rise­ by an eye-opening 150% within a ye­ar. As…

4 min read
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read