SlideShare a Scribd company logo

How to create a business case for expanding your AppSec program

Download as PPTX, PDF
C
Colin Domoney

How to create a business case for expanding your AppSec program

Software
1 of 50
© 2019 VERACODE INC. How to Create a Business Case for Expanding Your AppSec Program C o l i n D o m o n e y
© 2019 VERACODE INC. Introduction Why are we here?
© 2019 VERACODE INC. About the Presenter : Colin Domoney @colindomoney • Have run enterprise AppSec programmes • Former Solutions Architect at Veracode enabling customers and evangelising AppSec • DevSecOps consultant advising on how to build secure, safe software in a reliable and repeatable manner • Technologist at heart – interested in all new technology, particularly automation, containers, cloud.
© 2019 VERACODE INC. Agenda • Expanding the AppSec Programme at Deutsche Bank • Fighting for Budget • Strategies for Obtaining Budget • Programme Metrics That Matter • Findings from Our Customers • The Journey to a Mature Programme • Future Proofing Your Business
© 2019 VERACODE INC. Expanding the AppSec Programme at Deutsche Bank My own story
© 2019 VERACODE INC. AppSec Programme at Deutsche Bank • Established as a greenfield initiative in 2012 • Scaled from 150 apps to 1,900 in 3 years • Remediated 500,000 high severity flaws in a single year • Heavy use of automation to reduce manual effort • Staffed by only one AppSec expert • Supported by a small team of analysts
© 2019 VERACODE INC. Year One: Inception Year 1 • Scan and triage 150 most critical applications in estate • Reduce critical flaws in applications • Create awareness for AppSec PROGRAMME GOALS • Augmented the value of the manual pen-test programmes by removing ‘low hanging fruit’ • SaaS provided cost benefits due to low setup overheads BUDGET JUSTIFICATION
© 2019 VERACODE INC. Year Two: Expansion Year 2 • Expand programme to 750 applications • Used remediation calls to drive flaw closure PROGRAMME GOALS • Drive wholesale cost reduction of manual pen-test programmes while expanding coverage scope • Reduced developer effort by using AppSec experts as coaches BUDGET JUSTIFICATION
© 2019 VERACODE INC. Year Three: Remediation Year 3 • Closed over 500,000 high severity flaws • Deployed AppSec experts to achieve aggressive remediation • Created ‘security champions’ to promote security capability PROGRAMME GOALS • Small team provided massive net risk reduction reducing likelihood of costly breaches • Creating internal capability led to long term savings BUDGET JUSTIFICATION
© 2019 VERACODE INC. Year Four: Automation Year 4 • Expanded coverage to 2,500 applications • Injected automated scanning into all central CI/CD systems and artefact repositories PROGRAMME GOALS • Leveraged automation at all points to reduce manual labour costs of programme execution • Negotiated beneficial terms with Veracode based on our ability to execute and deliver value BUDGET JUSTIFICATION
© 2019 VERACODE INC. Fighting for Budget Getting more of the pie
© 2019 VERACODE INC. Getting More of the Pie All other security programmes and projects AppSec programme
© 2019 VERACODE INC. Steal Other People’s Pie • Show better business outcomes • Demonstrate higher efficiencies • Demonstrate ROI via consumption • Be more visible than others • Demonstrate cost savings
© 2019 VERACODE INC. Get a Bigger Pie • Demonstrate a vision for the future • Attach to a ‘pet project’ • Attach to a burning problem
© 2019 VERACODE INC. Strategies for Obtaining Budget It’s not just ROI
© 2019 VERACODE INC. “CISO’s Guide to Obtaining Budget” https://securityintelligence.com/series/a-cisos- guide-to-obtaining-budget/ Know Your Audience Know Yourself Cultivate Your Credibility Never Waste a Crisis Exploit Pet Projects
© 2019 VERACODE INC. Must Do, Should Do, Could Do https://www.risklens.com/blog/win-the-infosec-budget- cycle-a-short-guide-for-cisos/ • Regulatory and compliance Must Do • Prevent negative impact on your company Should Do • R&D and innovation Could Do
© 2019 VERACODE INC. Benchmarking Against Competitors https://www.veracode.com/state-of-software- security-report • Benchmark your company against competitors in your segment • If you’re lagging use this as a driver to invest and close the gap • If you’re leading use this as an opportunity to embark on more ambitious projects
© 2019 VERACODE INC. Heard via the Grapevine … “significant costs savings using a centralised solution over ad-hoc on demand siloed testing” “the cost of the programme is insignificant compared to the cost of losing customers” “we were losing customers because we couldn’t demonstrate we were developing secure software”
© 2019 VERACODE INC. Programme Metrics That Matter Numbers that count
© 2019 VERACODE INC. How To Measure Your Programme https://www.csoonline.com/article/3200270/cybers ecurity-spend-roi-is-the-wrong-metric.html https://www.fairinstitute.org/fair-book https://www.howtomeasureanyth ing.com/cybersecurity/
© 2019 VERACODE INC. Use Metrics to Manage Your AppSec Programme https://www.veracode.com/sites/default/files/Resources/Whitepapers/using- metrics-to-manage-your-application-security-program-sans-veracode.pdf
© 2019 VERACODE INC. Veracode’s Top Five Programme Metrics
© 2019 VERACODE INC. #1 : Your Flaw Density • Allows appropriate focus on expansion of developer training activities • Securing third-party software • Identifying vulnerable components or libraries USE CASE Reports where the most code flaws are seen WHAT
© 2019 VERACODE INC. #2 : Your Fix Rate • Allows appropriate focus on expansion of developer training activities • Augment your development team using advisors or security champions • Redirect funds toward remediation activities USE CASE How long it takes you to fix vulnerabilities WHAT
© 2019 VERACODE INC. #3 : Your Rank in AppSec Maturity Models • Identify gaps in your programme based on the lessons learned by others and best practices • Expanding your programme to remain competitive USE CASE How do you compare to industry leaders and best practices WHAT
© 2019 VERACODE INC. #4 : Your Compliance with Industry Regulations • Code reviews built into the SDLC • Both manual and automated assessments • Controls around 3rd party software • Gap analysis • Continuous verification USE CASE Whether you are meeting relevant industry regulations WHAT
© 2019 VERACODE INC. #5 : Your Compliance with Internal Policies • Provide additional developer training • Gap analysis • Continuous verification • Augment your development team using advisors or security champions USE CASE Whether you are meeting your internal policies WHAT
© 2019 VERACODE INC. Metrics Used in My Deutsche Bank Programme “What percentage of applications are covered by the AppSec programme? ”What percentage of applications are compliant with the AppSec policy?”
© 2019 VERACODE INC. Findings From Our Customers Forrester TEI report
© 2019 VERACODE INC. SANS AppSec ROI Report https://www.veracode.com/blog/managing-appsec/optimizing-your- appsec-investment-value-stream-mapping
© 2019 VERACODE INC. Investment Decision Making
© 2019 VERACODE INC. Simple Return on Investment Model
© 2019 VERACODE INC. Forrester Total Economic Impact Report https://info.veracode.com/analyst-report-forrester-the- total-economic-impact-study.html
© 2019 VERACODE INC. Research Methodology
© 2019 VERACODE INC. Results Take Time
© 2019 VERACODE INC. Analysis of Benefits
© 2019 VERACODE INC. Doing More with a Smaller Team
© 2019 VERACODE INC. Reduce Costs of 3rd Party Testing
© 2019 VERACODE INC. Analysis of Costs
© 2019 VERACODE INC. Invest in Automation Upfront
© 2019 VERACODE INC. The Journey to a Mature Programme A route to maturity
© 2019 VERACODE INC. Four Stages to a Mature Programme Reactive • Fire fighting mode • Responding to emergencies • Limited scale and scope Baseline • Wider coverage • More comprehensive assessments • Greater measure of control and KPIs Expanded • Fully integrated into the SDLC • AppSec is seen as BAU Advanced • More nuanced in approach to tools and teams • Highly integrated in a DevSecOps approach
© 2019 VERACODE INC. Demonstrate a Vision for Your Programme
© 2019 VERACODE INC. Future Proofing Your Business Invest for the future
© 2019 VERACODE INC. Dev(Sec)Ops and Automation https://dzone.com/articles/devops- trends-2019-what-you-need-to-know
© 2019 VERACODE INC. Security as a Competitive Advantage / Requirement https://www.capgemini.com/2018/05/cybersecurity-the-new- competitive-advantage-for-retailers/
© 2019 VERACODE INC. Top Takeaways to Remember • Fight for more of the budget pie • Plan on expanding the budget pie • Pick metrics that matter to your business • Benchmark against your peers/competitors • Pick solutions that allow automation • Invest upfront to automate to achieve long term ROI • Don’t expect instant gratification !
© 2019 VERACODE INC. Get In Touch • Follow up via the Brighttalk page • Follow up with the point of contact in your registration email • Please do @ me on Twitter : @colindomoney
© 2019 VERACODE INC.

Recommended

DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessRobert Grupe, CSSLP CISSP PE PMP
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 

Recommended

DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessRobert Grupe, CSSLP CISSP PE PMP
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsCheah Eng Soon
 
Innovate everywhere - SUSE edge
Innovate everywhere - SUSE edgeInnovate everywhere - SUSE edge
Innovate everywhere - SUSE edgeSUSE
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Ivanti
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application EconomyCA Technologies
 
People & Performance: How to Solve the Biggest Challenge in the Property Mana...
People & Performance: How to Solve the Biggest Challenge in the Property Mana...People & Performance: How to Solve the Biggest Challenge in the Property Mana...
People & Performance: How to Solve the Biggest Challenge in the Property Mana...AppFolio
 

More Related Content

What's hot

DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Innovate everywhere - SUSE edge
Innovate everywhere - SUSE edgeInnovate everywhere - SUSE edge
Innovate everywhere - SUSE edgeSUSE
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Ivanti
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 

What's hot (20)

The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Innovate everywhere - SUSE edge
Innovate everywhere - SUSE edgeInnovate everywhere - SUSE edge
Innovate everywhere - SUSE edge
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 

Similar to How to create a business case for expanding your AppSec program

Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application EconomyCA Technologies
 
People & Performance: How to Solve the Biggest Challenge in the Property Mana...
People & Performance: How to Solve the Biggest Challenge in the Property Mana...People & Performance: How to Solve the Biggest Challenge in the Property Mana...
People & Performance: How to Solve the Biggest Challenge in the Property Mana...AppFolio
 
Transformation: Not Only the App But Also the Way We Work
Transformation: Not Only the App But Also the Way We WorkTransformation: Not Only the App But Also the Way We Work
Transformation: Not Only the App But Also the Way We WorkVMware Tanzu
 
T Bytes Digital customer experience
T Bytes Digital customer experienceT Bytes Digital customer experience
T Bytes Digital customer experienceEGBG Services
 
How to Choose the Right CRE Technology Partner Webinar.pdf
How to Choose the Right CRE Technology Partner Webinar.pdfHow to Choose the Right CRE Technology Partner Webinar.pdf
How to Choose the Right CRE Technology Partner Webinar.pdfAppFolio
 
La Digital Transformation ha un nuovo alleato: Value Stream Management
La Digital Transformation ha un nuovo alleato: Value Stream ManagementLa Digital Transformation ha un nuovo alleato: Value Stream Management
La Digital Transformation ha un nuovo alleato: Value Stream ManagementEmerasoft, solutions to collaborate
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...Michael Man
 
Strategies to improve the ROI on your enterprise application
Strategies to improve the ROI on your enterprise applicationStrategies to improve the ROI on your enterprise application
Strategies to improve the ROI on your enterprise applicationPixel Crayons
 
Scaling Your Software Sales: A Guide to the AppDirect Monetization Suite
Scaling Your Software Sales: A Guide to the AppDirect Monetization SuiteScaling Your Software Sales: A Guide to the AppDirect Monetization Suite
Scaling Your Software Sales: A Guide to the AppDirect Monetization SuiteAppDirect
 
Digital Strategy with Dyer & Blomfield
Digital Strategy with Dyer & BlomfieldDigital Strategy with Dyer & Blomfield
Digital Strategy with Dyer & BlomfieldMatty Blomfield
 
Mobile apps presentation - Mobile App Development Services
Mobile apps presentation - Mobile App Development ServicesMobile apps presentation - Mobile App Development Services
Mobile apps presentation - Mobile App Development ServicesRosa Aguiar Catraio
 
Application Security with NGINX
Application Security with NGINXApplication Security with NGINX
Application Security with NGINXNGINX, Inc.
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Amazon Web Services
 
CISOSHARE's approach to designing effective cyber security programs
CISOSHARE's approach to designing effective cyber security programsCISOSHARE's approach to designing effective cyber security programs
CISOSHARE's approach to designing effective cyber security programsCISOSHARE
 
Enhancing QA Strategy to Achieve Agile Quality Engineering
Enhancing QA Strategy to Achieve Agile Quality Engineering Enhancing QA Strategy to Achieve Agile Quality Engineering
Enhancing QA Strategy to Achieve Agile Quality Engineering Aspire Systems
 
Free Your Data: Accelerating Innovation by Using API's to Unlock Core Systems
Free Your Data: Accelerating Innovation by Using API's to Unlock Core SystemsFree Your Data: Accelerating Innovation by Using API's to Unlock Core Systems
Free Your Data: Accelerating Innovation by Using API's to Unlock Core SystemsMuleSoft
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration PipelineScale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration PipelineDevOps.com
 
Aaron Swain at VMware Tanzu Public Sector Connect 2021
Aaron Swain at VMware Tanzu Public Sector Connect 2021Aaron Swain at VMware Tanzu Public Sector Connect 2021
Aaron Swain at VMware Tanzu Public Sector Connect 2021VMware Tanzu
 
Application Security with NGINX | APAC
Application Security with NGINX | APACApplication Security with NGINX | APAC
Application Security with NGINX | APACNGINX, Inc.
 
Avoid Unhappy Returns: Proactively Plug Your Revenue Leaks
Avoid Unhappy Returns: Proactively Plug Your Revenue LeaksAvoid Unhappy Returns: Proactively Plug Your Revenue Leaks
Avoid Unhappy Returns: Proactively Plug Your Revenue LeaksDevOps.com
 

Similar to How to create a business case for expanding your AppSec program (20)

Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy
 
People & Performance: How to Solve the Biggest Challenge in the Property Mana...
People & Performance: How to Solve the Biggest Challenge in the Property Mana...People & Performance: How to Solve the Biggest Challenge in the Property Mana...
People & Performance: How to Solve the Biggest Challenge in the Property Mana...
 
Transformation: Not Only the App But Also the Way We Work
Transformation: Not Only the App But Also the Way We WorkTransformation: Not Only the App But Also the Way We Work
Transformation: Not Only the App But Also the Way We Work
 
T Bytes Digital customer experience
T Bytes Digital customer experienceT Bytes Digital customer experience
T Bytes Digital customer experience
 
How to Choose the Right CRE Technology Partner Webinar.pdf
How to Choose the Right CRE Technology Partner Webinar.pdfHow to Choose the Right CRE Technology Partner Webinar.pdf
How to Choose the Right CRE Technology Partner Webinar.pdf
 
La Digital Transformation ha un nuovo alleato: Value Stream Management
La Digital Transformation ha un nuovo alleato: Value Stream ManagementLa Digital Transformation ha un nuovo alleato: Value Stream Management
La Digital Transformation ha un nuovo alleato: Value Stream Management
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
 
Strategies to improve the ROI on your enterprise application
Strategies to improve the ROI on your enterprise applicationStrategies to improve the ROI on your enterprise application
Strategies to improve the ROI on your enterprise application
 
Scaling Your Software Sales: A Guide to the AppDirect Monetization Suite
Scaling Your Software Sales: A Guide to the AppDirect Monetization SuiteScaling Your Software Sales: A Guide to the AppDirect Monetization Suite
Scaling Your Software Sales: A Guide to the AppDirect Monetization Suite
 
Digital Strategy with Dyer & Blomfield
Digital Strategy with Dyer & BlomfieldDigital Strategy with Dyer & Blomfield
Digital Strategy with Dyer & Blomfield
 
Mobile apps presentation - Mobile App Development Services
Mobile apps presentation - Mobile App Development ServicesMobile apps presentation - Mobile App Development Services
Mobile apps presentation - Mobile App Development Services
 
Application Security with NGINX
Application Security with NGINXApplication Security with NGINX
Application Security with NGINX
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
 
CISOSHARE's approach to designing effective cyber security programs
CISOSHARE's approach to designing effective cyber security programsCISOSHARE's approach to designing effective cyber security programs
CISOSHARE's approach to designing effective cyber security programs
 
Enhancing QA Strategy to Achieve Agile Quality Engineering
Enhancing QA Strategy to Achieve Agile Quality Engineering Enhancing QA Strategy to Achieve Agile Quality Engineering
Enhancing QA Strategy to Achieve Agile Quality Engineering
 
Free Your Data: Accelerating Innovation by Using API's to Unlock Core Systems
Free Your Data: Accelerating Innovation by Using API's to Unlock Core SystemsFree Your Data: Accelerating Innovation by Using API's to Unlock Core Systems
Free Your Data: Accelerating Innovation by Using API's to Unlock Core Systems
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration PipelineScale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
 
Aaron Swain at VMware Tanzu Public Sector Connect 2021
Aaron Swain at VMware Tanzu Public Sector Connect 2021Aaron Swain at VMware Tanzu Public Sector Connect 2021
Aaron Swain at VMware Tanzu Public Sector Connect 2021
 
Application Security with NGINX | APAC
Application Security with NGINX | APACApplication Security with NGINX | APAC
Application Security with NGINX | APAC
 
Avoid Unhappy Returns: Proactively Plug Your Revenue Leaks
Avoid Unhappy Returns: Proactively Plug Your Revenue LeaksAvoid Unhappy Returns: Proactively Plug Your Revenue Leaks
Avoid Unhappy Returns: Proactively Plug Your Revenue Leaks
 

Recently uploaded

Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 

Recently uploaded (20)

Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 

How to create a business case for expanding your AppSec program

  • 1. © 2019 VERACODE INC. How to Create a Business Case for Expanding Your AppSec Program C o l i n D o m o n e y
  • 2. © 2019 VERACODE INC. Introduction Why are we here?
  • 3. © 2019 VERACODE INC. About the Presenter : Colin Domoney @colindomoney • Have run enterprise AppSec programmes • Former Solutions Architect at Veracode enabling customers and evangelising AppSec • DevSecOps consultant advising on how to build secure, safe software in a reliable and repeatable manner • Technologist at heart – interested in all new technology, particularly automation, containers, cloud.
  • 4. © 2019 VERACODE INC. Agenda • Expanding the AppSec Programme at Deutsche Bank • Fighting for Budget • Strategies for Obtaining Budget • Programme Metrics That Matter • Findings from Our Customers • The Journey to a Mature Programme • Future Proofing Your Business
  • 5. © 2019 VERACODE INC. Expanding the AppSec Programme at Deutsche Bank My own story
  • 6. © 2019 VERACODE INC. AppSec Programme at Deutsche Bank • Established as a greenfield initiative in 2012 • Scaled from 150 apps to 1,900 in 3 years • Remediated 500,000 high severity flaws in a single year • Heavy use of automation to reduce manual effort • Staffed by only one AppSec expert • Supported by a small team of analysts
  • 7. © 2019 VERACODE INC. Year One: Inception Year 1 • Scan and triage 150 most critical applications in estate • Reduce critical flaws in applications • Create awareness for AppSec PROGRAMME GOALS • Augmented the value of the manual pen-test programmes by removing ‘low hanging fruit’ • SaaS provided cost benefits due to low setup overheads BUDGET JUSTIFICATION
  • 8. © 2019 VERACODE INC. Year Two: Expansion Year 2 • Expand programme to 750 applications • Used remediation calls to drive flaw closure PROGRAMME GOALS • Drive wholesale cost reduction of manual pen-test programmes while expanding coverage scope • Reduced developer effort by using AppSec experts as coaches BUDGET JUSTIFICATION
  • 9. © 2019 VERACODE INC. Year Three: Remediation Year 3 • Closed over 500,000 high severity flaws • Deployed AppSec experts to achieve aggressive remediation • Created ‘security champions’ to promote security capability PROGRAMME GOALS • Small team provided massive net risk reduction reducing likelihood of costly breaches • Creating internal capability led to long term savings BUDGET JUSTIFICATION
  • 10. © 2019 VERACODE INC. Year Four: Automation Year 4 • Expanded coverage to 2,500 applications • Injected automated scanning into all central CI/CD systems and artefact repositories PROGRAMME GOALS • Leveraged automation at all points to reduce manual labour costs of programme execution • Negotiated beneficial terms with Veracode based on our ability to execute and deliver value BUDGET JUSTIFICATION
  • 11. © 2019 VERACODE INC. Fighting for Budget Getting more of the pie
  • 12. © 2019 VERACODE INC. Getting More of the Pie All other security programmes and projects AppSec programme
  • 13. © 2019 VERACODE INC. Steal Other People’s Pie • Show better business outcomes • Demonstrate higher efficiencies • Demonstrate ROI via consumption • Be more visible than others • Demonstrate cost savings
  • 14. © 2019 VERACODE INC. Get a Bigger Pie • Demonstrate a vision for the future • Attach to a ‘pet project’ • Attach to a burning problem
  • 15. © 2019 VERACODE INC. Strategies for Obtaining Budget It’s not just ROI
  • 16. © 2019 VERACODE INC. “CISO’s Guide to Obtaining Budget” https://securityintelligence.com/series/a-cisos- guide-to-obtaining-budget/ Know Your Audience Know Yourself Cultivate Your Credibility Never Waste a Crisis Exploit Pet Projects
  • 17. © 2019 VERACODE INC. Must Do, Should Do, Could Do https://www.risklens.com/blog/win-the-infosec-budget- cycle-a-short-guide-for-cisos/ • Regulatory and compliance Must Do • Prevent negative impact on your company Should Do • R&D and innovation Could Do
  • 18. © 2019 VERACODE INC. Benchmarking Against Competitors https://www.veracode.com/state-of-software- security-report • Benchmark your company against competitors in your segment • If you’re lagging use this as a driver to invest and close the gap • If you’re leading use this as an opportunity to embark on more ambitious projects
  • 19. © 2019 VERACODE INC. Heard via the Grapevine … “significant costs savings using a centralised solution over ad-hoc on demand siloed testing” “the cost of the programme is insignificant compared to the cost of losing customers” “we were losing customers because we couldn’t demonstrate we were developing secure software”
  • 20. © 2019 VERACODE INC. Programme Metrics That Matter Numbers that count
  • 21. © 2019 VERACODE INC. How To Measure Your Programme https://www.csoonline.com/article/3200270/cybers ecurity-spend-roi-is-the-wrong-metric.html https://www.fairinstitute.org/fair-book https://www.howtomeasureanyth ing.com/cybersecurity/
  • 22. © 2019 VERACODE INC. Use Metrics to Manage Your AppSec Programme https://www.veracode.com/sites/default/files/Resources/Whitepapers/using- metrics-to-manage-your-application-security-program-sans-veracode.pdf
  • 23. © 2019 VERACODE INC. Veracode’s Top Five Programme Metrics
  • 24. © 2019 VERACODE INC. #1 : Your Flaw Density • Allows appropriate focus on expansion of developer training activities • Securing third-party software • Identifying vulnerable components or libraries USE CASE Reports where the most code flaws are seen WHAT
  • 25. © 2019 VERACODE INC. #2 : Your Fix Rate • Allows appropriate focus on expansion of developer training activities • Augment your development team using advisors or security champions • Redirect funds toward remediation activities USE CASE How long it takes you to fix vulnerabilities WHAT
  • 26. © 2019 VERACODE INC. #3 : Your Rank in AppSec Maturity Models • Identify gaps in your programme based on the lessons learned by others and best practices • Expanding your programme to remain competitive USE CASE How do you compare to industry leaders and best practices WHAT
  • 27. © 2019 VERACODE INC. #4 : Your Compliance with Industry Regulations • Code reviews built into the SDLC • Both manual and automated assessments • Controls around 3rd party software • Gap analysis • Continuous verification USE CASE Whether you are meeting relevant industry regulations WHAT
  • 28. © 2019 VERACODE INC. #5 : Your Compliance with Internal Policies • Provide additional developer training • Gap analysis • Continuous verification • Augment your development team using advisors or security champions USE CASE Whether you are meeting your internal policies WHAT
  • 29. © 2019 VERACODE INC. Metrics Used in My Deutsche Bank Programme “What percentage of applications are covered by the AppSec programme? ”What percentage of applications are compliant with the AppSec policy?”
  • 30. © 2019 VERACODE INC. Findings From Our Customers Forrester TEI report
  • 31. © 2019 VERACODE INC. SANS AppSec ROI Report https://www.veracode.com/blog/managing-appsec/optimizing-your- appsec-investment-value-stream-mapping
  • 32. © 2019 VERACODE INC. Investment Decision Making
  • 33. © 2019 VERACODE INC. Simple Return on Investment Model
  • 34. © 2019 VERACODE INC. Forrester Total Economic Impact Report https://info.veracode.com/analyst-report-forrester-the- total-economic-impact-study.html
  • 35. © 2019 VERACODE INC. Research Methodology
  • 36. © 2019 VERACODE INC. Results Take Time
  • 37. © 2019 VERACODE INC. Analysis of Benefits
  • 38. © 2019 VERACODE INC. Doing More with a Smaller Team
  • 39. © 2019 VERACODE INC. Reduce Costs of 3rd Party Testing
  • 40. © 2019 VERACODE INC. Analysis of Costs
  • 41. © 2019 VERACODE INC. Invest in Automation Upfront
  • 42. © 2019 VERACODE INC. The Journey to a Mature Programme A route to maturity
  • 43. © 2019 VERACODE INC. Four Stages to a Mature Programme Reactive • Fire fighting mode • Responding to emergencies • Limited scale and scope Baseline • Wider coverage • More comprehensive assessments • Greater measure of control and KPIs Expanded • Fully integrated into the SDLC • AppSec is seen as BAU Advanced • More nuanced in approach to tools and teams • Highly integrated in a DevSecOps approach
  • 44. © 2019 VERACODE INC. Demonstrate a Vision for Your Programme
  • 45. © 2019 VERACODE INC. Future Proofing Your Business Invest for the future
  • 46. © 2019 VERACODE INC. Dev(Sec)Ops and Automation https://dzone.com/articles/devops- trends-2019-what-you-need-to-know
  • 47. © 2019 VERACODE INC. Security as a Competitive Advantage / Requirement https://www.capgemini.com/2018/05/cybersecurity-the-new- competitive-advantage-for-retailers/
  • 48. © 2019 VERACODE INC. Top Takeaways to Remember • Fight for more of the budget pie • Plan on expanding the budget pie • Pick metrics that matter to your business • Benchmark against your peers/competitors • Pick solutions that allow automation • Invest upfront to automate to achieve long term ROI • Don’t expect instant gratification !
  • 49. © 2019 VERACODE INC. Get In Touch • Follow up via the Brighttalk page • Follow up with the point of contact in your registration email • Please do @ me on Twitter : @colindomoney