Submit Search
Upload
How to create a business case for expanding your AppSec program
•
Download as PPTX, PDF
•
0 likes
•
138 views
C
Colin Domoney
Follow
How to create a business case for expanding your AppSec program
Read less
Read more
Software
Report
Share
Report
Share
1 of 50
Download now
Recommended
DEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
Implementing DevSecOps
Implementing DevSecOps
Amazon Web Services
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
Introduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
Benefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
Robert Grupe, CSSLP CISSP PE PMP
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
Introduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
Recommended
DEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
Implementing DevSecOps
Implementing DevSecOps
Amazon Web Services
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
Introduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
Benefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
Robert Grupe, CSSLP CISSP PE PMP
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
Introduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
The State of DevSecOps
The State of DevSecOps
DevOps Indonesia
DevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
Security Process in DevSecOps
Security Process in DevSecOps
Opsta
DevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
DevSecOps
DevSecOps
Cheah Eng Soon
Innovate everywhere - SUSE edge
Innovate everywhere - SUSE edge
SUSE
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Ivanti
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
idsecconf
Security champions v1.0
Security champions v1.0
Dinis Cruz
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
James Wickett
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
DevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy
CA Technologies
People & Performance: How to Solve the Biggest Challenge in the Property Mana...
People & Performance: How to Solve the Biggest Challenge in the Property Mana...
AppFolio
More Related Content
What's hot
The State of DevSecOps
The State of DevSecOps
DevOps Indonesia
DevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
Security Process in DevSecOps
Security Process in DevSecOps
Opsta
DevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
DevSecOps
DevSecOps
Cheah Eng Soon
Innovate everywhere - SUSE edge
Innovate everywhere - SUSE edge
SUSE
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Ivanti
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
idsecconf
Security champions v1.0
Security champions v1.0
Dinis Cruz
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
James Wickett
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
DevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
What's hot
(20)
The State of DevSecOps
The State of DevSecOps
DevSecOps in Baby Steps
DevSecOps in Baby Steps
Security Process in DevSecOps
Security Process in DevSecOps
DevSecOps Implementation Journey
DevSecOps Implementation Journey
DevSecOps
DevSecOps
Innovate everywhere - SUSE edge
Innovate everywhere - SUSE edge
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
Security champions v1.0
Security champions v1.0
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
DevSecOps 101
DevSecOps 101
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecOps What Why and How
DevSecOps What Why and How
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Similar to How to create a business case for expanding your AppSec program
Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy
CA Technologies
People & Performance: How to Solve the Biggest Challenge in the Property Mana...
People & Performance: How to Solve the Biggest Challenge in the Property Mana...
AppFolio
Transformation: Not Only the App But Also the Way We Work
Transformation: Not Only the App But Also the Way We Work
VMware Tanzu
T Bytes Digital customer experience
T Bytes Digital customer experience
EGBG Services
How to Choose the Right CRE Technology Partner Webinar.pdf
How to Choose the Right CRE Technology Partner Webinar.pdf
AppFolio
La Digital Transformation ha un nuovo alleato: Value Stream Management
La Digital Transformation ha un nuovo alleato: Value Stream Management
Emerasoft, solutions to collaborate
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
Michael Man
Strategies to improve the ROI on your enterprise application
Strategies to improve the ROI on your enterprise application
Pixel Crayons
Scaling Your Software Sales: A Guide to the AppDirect Monetization Suite
Scaling Your Software Sales: A Guide to the AppDirect Monetization Suite
AppDirect
Digital Strategy with Dyer & Blomfield
Digital Strategy with Dyer & Blomfield
Matty Blomfield
Mobile apps presentation - Mobile App Development Services
Mobile apps presentation - Mobile App Development Services
Rosa Aguiar Catraio
Application Security with NGINX
Application Security with NGINX
NGINX, Inc.
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Amazon Web Services
CISOSHARE's approach to designing effective cyber security programs
CISOSHARE's approach to designing effective cyber security programs
CISOSHARE
Enhancing QA Strategy to Achieve Agile Quality Engineering
Enhancing QA Strategy to Achieve Agile Quality Engineering
Aspire Systems
Free Your Data: Accelerating Innovation by Using API's to Unlock Core Systems
Free Your Data: Accelerating Innovation by Using API's to Unlock Core Systems
MuleSoft
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
Aaron Swain at VMware Tanzu Public Sector Connect 2021
Aaron Swain at VMware Tanzu Public Sector Connect 2021
VMware Tanzu
Application Security with NGINX | APAC
Application Security with NGINX | APAC
NGINX, Inc.
Avoid Unhappy Returns: Proactively Plug Your Revenue Leaks
Avoid Unhappy Returns: Proactively Plug Your Revenue Leaks
DevOps.com
Similar to How to create a business case for expanding your AppSec program
(20)
Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy
People & Performance: How to Solve the Biggest Challenge in the Property Mana...
People & Performance: How to Solve the Biggest Challenge in the Property Mana...
Transformation: Not Only the App But Also the Way We Work
Transformation: Not Only the App But Also the Way We Work
T Bytes Digital customer experience
T Bytes Digital customer experience
How to Choose the Right CRE Technology Partner Webinar.pdf
How to Choose the Right CRE Technology Partner Webinar.pdf
La Digital Transformation ha un nuovo alleato: Value Stream Management
La Digital Transformation ha un nuovo alleato: Value Stream Management
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
Strategies to improve the ROI on your enterprise application
Strategies to improve the ROI on your enterprise application
Scaling Your Software Sales: A Guide to the AppDirect Monetization Suite
Scaling Your Software Sales: A Guide to the AppDirect Monetization Suite
Digital Strategy with Dyer & Blomfield
Digital Strategy with Dyer & Blomfield
Mobile apps presentation - Mobile App Development Services
Mobile apps presentation - Mobile App Development Services
Application Security with NGINX
Application Security with NGINX
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
CISOSHARE's approach to designing effective cyber security programs
CISOSHARE's approach to designing effective cyber security programs
Enhancing QA Strategy to Achieve Agile Quality Engineering
Enhancing QA Strategy to Achieve Agile Quality Engineering
Free Your Data: Accelerating Innovation by Using API's to Unlock Core Systems
Free Your Data: Accelerating Innovation by Using API's to Unlock Core Systems
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
Aaron Swain at VMware Tanzu Public Sector Connect 2021
Aaron Swain at VMware Tanzu Public Sector Connect 2021
Application Security with NGINX | APAC
Application Security with NGINX | APAC
Avoid Unhappy Returns: Proactively Plug Your Revenue Leaks
Avoid Unhappy Returns: Proactively Plug Your Revenue Leaks
Recently uploaded
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
OnePlan Solutions
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
Arshad QA
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
ABDERRAOUF MEHENNI
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
ICS
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
AxelRicardoTrocheRiq
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
Fatema Valibhai
Software Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
Arshad QA
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
ThousandEyes
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
OnePlan Solutions
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
Wave PLM
DNT_Corporate presentation know about us
DNT_Corporate presentation know about us
Dynamic Netsoft
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
Cionsystems
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
Professional Resume Template for Software Developers
Professional Resume Template for Software Developers
Vinodh Ram
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
Jhone kinadey
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
bodapatigopi8531
Recently uploaded
(20)
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
Software Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
DNT_Corporate presentation know about us
DNT_Corporate presentation know about us
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Professional Resume Template for Software Developers
Professional Resume Template for Software Developers
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
How to create a business case for expanding your AppSec program
1.
© 2019 VERACODE
INC. How to Create a Business Case for Expanding Your AppSec Program C o l i n D o m o n e y
2.
© 2019 VERACODE
INC. Introduction Why are we here?
3.
© 2019 VERACODE
INC. About the Presenter : Colin Domoney @colindomoney • Have run enterprise AppSec programmes • Former Solutions Architect at Veracode enabling customers and evangelising AppSec • DevSecOps consultant advising on how to build secure, safe software in a reliable and repeatable manner • Technologist at heart – interested in all new technology, particularly automation, containers, cloud.
4.
© 2019 VERACODE
INC. Agenda • Expanding the AppSec Programme at Deutsche Bank • Fighting for Budget • Strategies for Obtaining Budget • Programme Metrics That Matter • Findings from Our Customers • The Journey to a Mature Programme • Future Proofing Your Business
5.
© 2019 VERACODE
INC. Expanding the AppSec Programme at Deutsche Bank My own story
6.
© 2019 VERACODE
INC. AppSec Programme at Deutsche Bank • Established as a greenfield initiative in 2012 • Scaled from 150 apps to 1,900 in 3 years • Remediated 500,000 high severity flaws in a single year • Heavy use of automation to reduce manual effort • Staffed by only one AppSec expert • Supported by a small team of analysts
7.
© 2019 VERACODE
INC. Year One: Inception Year 1 • Scan and triage 150 most critical applications in estate • Reduce critical flaws in applications • Create awareness for AppSec PROGRAMME GOALS • Augmented the value of the manual pen-test programmes by removing ‘low hanging fruit’ • SaaS provided cost benefits due to low setup overheads BUDGET JUSTIFICATION
8.
© 2019 VERACODE
INC. Year Two: Expansion Year 2 • Expand programme to 750 applications • Used remediation calls to drive flaw closure PROGRAMME GOALS • Drive wholesale cost reduction of manual pen-test programmes while expanding coverage scope • Reduced developer effort by using AppSec experts as coaches BUDGET JUSTIFICATION
9.
© 2019 VERACODE
INC. Year Three: Remediation Year 3 • Closed over 500,000 high severity flaws • Deployed AppSec experts to achieve aggressive remediation • Created ‘security champions’ to promote security capability PROGRAMME GOALS • Small team provided massive net risk reduction reducing likelihood of costly breaches • Creating internal capability led to long term savings BUDGET JUSTIFICATION
10.
© 2019 VERACODE
INC. Year Four: Automation Year 4 • Expanded coverage to 2,500 applications • Injected automated scanning into all central CI/CD systems and artefact repositories PROGRAMME GOALS • Leveraged automation at all points to reduce manual labour costs of programme execution • Negotiated beneficial terms with Veracode based on our ability to execute and deliver value BUDGET JUSTIFICATION
11.
© 2019 VERACODE
INC. Fighting for Budget Getting more of the pie
12.
© 2019 VERACODE
INC. Getting More of the Pie All other security programmes and projects AppSec programme
13.
© 2019 VERACODE
INC. Steal Other People’s Pie • Show better business outcomes • Demonstrate higher efficiencies • Demonstrate ROI via consumption • Be more visible than others • Demonstrate cost savings
14.
© 2019 VERACODE
INC. Get a Bigger Pie • Demonstrate a vision for the future • Attach to a ‘pet project’ • Attach to a burning problem
15.
© 2019 VERACODE
INC. Strategies for Obtaining Budget It’s not just ROI
16.
© 2019 VERACODE
INC. “CISO’s Guide to Obtaining Budget” https://securityintelligence.com/series/a-cisos- guide-to-obtaining-budget/ Know Your Audience Know Yourself Cultivate Your Credibility Never Waste a Crisis Exploit Pet Projects
17.
© 2019 VERACODE
INC. Must Do, Should Do, Could Do https://www.risklens.com/blog/win-the-infosec-budget- cycle-a-short-guide-for-cisos/ • Regulatory and compliance Must Do • Prevent negative impact on your company Should Do • R&D and innovation Could Do
18.
© 2019 VERACODE
INC. Benchmarking Against Competitors https://www.veracode.com/state-of-software- security-report • Benchmark your company against competitors in your segment • If you’re lagging use this as a driver to invest and close the gap • If you’re leading use this as an opportunity to embark on more ambitious projects
19.
© 2019 VERACODE
INC. Heard via the Grapevine … “significant costs savings using a centralised solution over ad-hoc on demand siloed testing” “the cost of the programme is insignificant compared to the cost of losing customers” “we were losing customers because we couldn’t demonstrate we were developing secure software”
20.
© 2019 VERACODE
INC. Programme Metrics That Matter Numbers that count
21.
© 2019 VERACODE
INC. How To Measure Your Programme https://www.csoonline.com/article/3200270/cybers ecurity-spend-roi-is-the-wrong-metric.html https://www.fairinstitute.org/fair-book https://www.howtomeasureanyth ing.com/cybersecurity/
22.
© 2019 VERACODE
INC. Use Metrics to Manage Your AppSec Programme https://www.veracode.com/sites/default/files/Resources/Whitepapers/using- metrics-to-manage-your-application-security-program-sans-veracode.pdf
23.
© 2019 VERACODE
INC. Veracode’s Top Five Programme Metrics
24.
© 2019 VERACODE
INC. #1 : Your Flaw Density • Allows appropriate focus on expansion of developer training activities • Securing third-party software • Identifying vulnerable components or libraries USE CASE Reports where the most code flaws are seen WHAT
25.
© 2019 VERACODE
INC. #2 : Your Fix Rate • Allows appropriate focus on expansion of developer training activities • Augment your development team using advisors or security champions • Redirect funds toward remediation activities USE CASE How long it takes you to fix vulnerabilities WHAT
26.
© 2019 VERACODE
INC. #3 : Your Rank in AppSec Maturity Models • Identify gaps in your programme based on the lessons learned by others and best practices • Expanding your programme to remain competitive USE CASE How do you compare to industry leaders and best practices WHAT
27.
© 2019 VERACODE
INC. #4 : Your Compliance with Industry Regulations • Code reviews built into the SDLC • Both manual and automated assessments • Controls around 3rd party software • Gap analysis • Continuous verification USE CASE Whether you are meeting relevant industry regulations WHAT
28.
© 2019 VERACODE
INC. #5 : Your Compliance with Internal Policies • Provide additional developer training • Gap analysis • Continuous verification • Augment your development team using advisors or security champions USE CASE Whether you are meeting your internal policies WHAT
29.
© 2019 VERACODE
INC. Metrics Used in My Deutsche Bank Programme “What percentage of applications are covered by the AppSec programme? ”What percentage of applications are compliant with the AppSec policy?”
30.
© 2019 VERACODE
INC. Findings From Our Customers Forrester TEI report
31.
© 2019 VERACODE
INC. SANS AppSec ROI Report https://www.veracode.com/blog/managing-appsec/optimizing-your- appsec-investment-value-stream-mapping
32.
© 2019 VERACODE
INC. Investment Decision Making
33.
© 2019 VERACODE
INC. Simple Return on Investment Model
34.
© 2019 VERACODE
INC. Forrester Total Economic Impact Report https://info.veracode.com/analyst-report-forrester-the- total-economic-impact-study.html
35.
© 2019 VERACODE
INC. Research Methodology
36.
© 2019 VERACODE
INC. Results Take Time
37.
© 2019 VERACODE
INC. Analysis of Benefits
38.
© 2019 VERACODE
INC. Doing More with a Smaller Team
39.
© 2019 VERACODE
INC. Reduce Costs of 3rd Party Testing
40.
© 2019 VERACODE
INC. Analysis of Costs
41.
© 2019 VERACODE
INC. Invest in Automation Upfront
42.
© 2019 VERACODE
INC. The Journey to a Mature Programme A route to maturity
43.
© 2019 VERACODE
INC. Four Stages to a Mature Programme Reactive • Fire fighting mode • Responding to emergencies • Limited scale and scope Baseline • Wider coverage • More comprehensive assessments • Greater measure of control and KPIs Expanded • Fully integrated into the SDLC • AppSec is seen as BAU Advanced • More nuanced in approach to tools and teams • Highly integrated in a DevSecOps approach
44.
© 2019 VERACODE
INC. Demonstrate a Vision for Your Programme
45.
© 2019 VERACODE
INC. Future Proofing Your Business Invest for the future
46.
© 2019 VERACODE
INC. Dev(Sec)Ops and Automation https://dzone.com/articles/devops- trends-2019-what-you-need-to-know
47.
© 2019 VERACODE
INC. Security as a Competitive Advantage / Requirement https://www.capgemini.com/2018/05/cybersecurity-the-new- competitive-advantage-for-retailers/
48.
© 2019 VERACODE
INC. Top Takeaways to Remember • Fight for more of the budget pie • Plan on expanding the budget pie • Pick metrics that matter to your business • Benchmark against your peers/competitors • Pick solutions that allow automation • Invest upfront to automate to achieve long term ROI • Don’t expect instant gratification !
49.
© 2019 VERACODE
INC. Get In Touch • Follow up via the Brighttalk page • Follow up with the point of contact in your registration email • Please do @ me on Twitter : @colindomoney
50.
© 2019 VERACODE
INC.
Download now