In honor of attending the Front Range OWASP Conference (FROC) today, here’s the first of a THREE part series of thoughts on implementing an AppSec program at an organization.
Step One: Executive Buy-In
The first step, and most important aspect, of implementing application (or any other) security measure is receiving buy-in from leadership. The business leaders push down the priorities all across the organization. If the leadership support stops a level or two below the CEO, your security program’s scope will be severely diminished. A CISO or CIO may have the power to push out requirements to IT, but if you want information security pushed across business units you will need support from the CEO, CFO, or COO.
All leaders are going to agree with the idea of information security. They have seen the results of poor security in the news in the TJX and Heartland cases. While hearing those types of stories can bring great attention to information security needs, it’s not fear mongering we want to do. We want to move beyond a CYA approach and present the business risks, including the costs of a potential breach versus the costs of a countermeasure, and help our organizations leaders make educated business decisions. Getting executive leadership to buy off on an integrated security program takes more than a 30 minute meeting filled with horror stories. It takes an ongoing relationship with the InfoSec professionals based on trust, not fear, and an understanding of the scope of the business risks associated with data protection.
The executives do not need to know every detail of how security is implemented. Getting to that level is probably a waste of their time. But they do need to understand the importance of security and how that ties into producing high quality products, and providing high quality service to clients.
Working closely with the highest levels of leadership can be daunting. Their calendars are often full, and difficult to get onto. Work through your chain of command. I am not suggesting you march into the office of your CEO. Build a coalition among your boss and his/her boss.
Step Two: Education
The education of staff is the next step. This starts at a very high level for all employees but gets down into technical curriculum as necessary. Each employee needs to know not to click on phishing emails or send out client’s personal information. But maybe only the development and QA team needs to be trained on the Software Development Lifecycle. And while the standards for data input validation may be applicable to all, the techniques used for preventing buffer overruns are of no use to the .Net and Java developers. Just like your client/server developers don’t need Cross Site Request Forgery training.
Implementing training that is timely, specific and personally meaningful for each team is critical. Generalized trainings for an entire IT department are going to lose 90% of your audience for 90% of the time. The QA folks will snooze through the network security talks. The help desk will fall asleep during discussion of development standards.
To manage so many diverse training needs, the tasks of determining curriculum must be handled, at least in part, by a member of each team. An InfoSec professional working with a developer can craft great training that will have targeted impact within that development team.
This type of formal training should be performed at least annually. On top of that, you want to provide learning opportunities more often for team leaders, those in fast moving technologies and other interested parties. Organizations like ISSA, OWASP, and SANS are great ways to keep the in-the-trenches IT workers interested and up to date on security threats without breaking the bank. If budget allows, sending employees to training classes can be a great reward and a way to let employees know the organization wants to support their career growth, at the same time increasing the employee’s value to the organization.
Click here for Part 2 of Implementing Application Security.
Connect with Robb on Google+