SlideShare a Scribd company logo

How to create a business case for expanding your AppSec program

Download as PPTX, PDF
C
Colin Domoney

Colin Domoney discusses strategies for expanding an application security (AppSec) program and obtaining budget. He summarizes his experience expanding Deutsche Bank's AppSec program over four years from 150 to 2,500 applications. Key strategies included demonstrating business outcomes, cost savings, and compliance. Important metrics included flaw density, fix rate, maturity rankings, and policy compliance. Automation was critical for scale. A journey to a mature program involves becoming fully integrated into the software development lifecycle. Future-proofing requires investing in DevSecOps and automation to achieve long-term ROI and a competitive advantage through security.

Software
1 of 50
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
© 2019 VERACODE INC. How to Create a Business Case for Expanding Your AppSec Program C o l i n D o m o n e y
© 2019 VERACODE INC. Introduction Why are we here?
© 2019 VERACODE INC. About the Presenter : Colin Domoney @colindomoney • Have run enterprise AppSec programmes • Former Solutions Architect at Veracode enabling customers and evangelising AppSec • DevSecOps consultant advising on how to build secure, safe software in a reliable and repeatable manner • Technologist at heart – interested in all new technology, particularly automation, containers, cloud.
© 2019 VERACODE INC. Agenda • Expanding the AppSec Programme at Deutsche Bank • Fighting for Budget • Strategies for Obtaining Budget • Programme Metrics That Matter • Findings from Our Customers • The Journey to a Mature Programme • Future Proofing Your Business
© 2019 VERACODE INC. Expanding the AppSec Programme at Deutsche Bank My own story
© 2019 VERACODE INC. AppSec Programme at Deutsche Bank • Established as a greenfield initiative in 2012 • Scaled from 150 apps to 1,900 in 3 years • Remediated 500,000 high severity flaws in a single year • Heavy use of automation to reduce manual effort • Staffed by only one AppSec expert • Supported by a small team of analysts
© 2019 VERACODE INC. Year One: Inception Year 1 • Scan and triage 150 most critical applications in estate • Reduce critical flaws in applications • Create awareness for AppSec PROGRAMME GOALS • Augmented the value of the manual pen-test programmes by removing ‘low hanging fruit’ • SaaS provided cost benefits due to low setup overheads BUDGET JUSTIFICATION
© 2019 VERACODE INC. Year Two: Expansion Year 2 • Expand programme to 750 applications • Used remediation calls to drive flaw closure PROGRAMME GOALS • Drive wholesale cost reduction of manual pen-test programmes while expanding coverage scope • Reduced developer effort by using AppSec experts as coaches BUDGET JUSTIFICATION
© 2019 VERACODE INC. Year Three: Remediation Year 3 • Closed over 500,000 high severity flaws • Deployed AppSec experts to achieve aggressive remediation • Created ‘security champions’ to promote security capability PROGRAMME GOALS • Small team provided massive net risk reduction reducing likelihood of costly breaches • Creating internal capability led to long term savings BUDGET JUSTIFICATION
© 2019 VERACODE INC. Year Four: Automation Year 4 • Expanded coverage to 2,500 applications • Injected automated scanning into all central CI/CD systems and artefact repositories PROGRAMME GOALS • Leveraged automation at all points to reduce manual labour costs of programme execution • Negotiated beneficial terms with Veracode based on our ability to execute and deliver value BUDGET JUSTIFICATION
© 2019 VERACODE INC. Fighting for Budget Getting more of the pie
© 2019 VERACODE INC. Getting More of the Pie All other security programmes and projects AppSec programme
© 2019 VERACODE INC. Steal Other People’s Pie • Show better business outcomes • Demonstrate higher efficiencies • Demonstrate ROI via consumption • Be more visible than others • Demonstrate cost savings
© 2019 VERACODE INC. Get a Bigger Pie • Demonstrate a vision for the future • Attach to a ‘pet project’ • Attach to a burning problem
© 2019 VERACODE INC. Strategies for Obtaining Budget It’s not just ROI
© 2019 VERACODE INC. “CISO’s Guide to Obtaining Budget” https://securityintelligence.com/series/a-cisos- guide-to-obtaining-budget/ Know Your Audience Know Yourself Cultivate Your Credibility Never Waste a Crisis Exploit Pet Projects
© 2019 VERACODE INC. Must Do, Should Do, Could Do https://www.risklens.com/blog/win-the-infosec-budget- cycle-a-short-guide-for-cisos/ • Regulatory and compliance Must Do • Prevent negative impact on your company Should Do • R&D and innovation Could Do
© 2019 VERACODE INC. Benchmarking Against Competitors https://www.veracode.com/state-of-software- security-report • Benchmark your company against competitors in your segment • If you’re lagging use this as a driver to invest and close the gap • If you’re leading use this as an opportunity to embark on more ambitious projects
© 2019 VERACODE INC. Heard via the Grapevine … “significant costs savings using a centralised solution over ad-hoc on demand siloed testing” “the cost of the programme is insignificant compared to the cost of losing customers” “we were losing customers because we couldn’t demonstrate we were developing secure software”
© 2019 VERACODE INC. Programme Metrics That Matter Numbers that count
© 2019 VERACODE INC. How To Measure Your Programme https://www.csoonline.com/article/3200270/cybers ecurity-spend-roi-is-the-wrong-metric.html https://www.fairinstitute.org/fair-book https://www.howtomeasureanyth ing.com/cybersecurity/
© 2019 VERACODE INC. Use Metrics to Manage Your AppSec Programme https://www.veracode.com/sites/default/files/Resources/Whitepapers/using- metrics-to-manage-your-application-security-program-sans-veracode.pdf
© 2019 VERACODE INC. Veracode’s Top Five Programme Metrics
© 2019 VERACODE INC. #1 : Your Flaw Density • Allows appropriate focus on expansion of developer training activities • Securing third-party software • Identifying vulnerable components or libraries USE CASE Reports where the most code flaws are seen WHAT
© 2019 VERACODE INC. #2 : Your Fix Rate • Allows appropriate focus on expansion of developer training activities • Augment your development team using advisors or security champions • Redirect funds toward remediation activities USE CASE How long it takes you to fix vulnerabilities WHAT
© 2019 VERACODE INC. #3 : Your Rank in AppSec Maturity Models • Identify gaps in your programme based on the lessons learned by others and best practices • Expanding your programme to remain competitive USE CASE How do you compare to industry leaders and best practices WHAT
© 2019 VERACODE INC. #4 : Your Compliance with Industry Regulations • Code reviews built into the SDLC • Both manual and automated assessments • Controls around 3rd party software • Gap analysis • Continuous verification USE CASE Whether you are meeting relevant industry regulations WHAT
© 2019 VERACODE INC. #5 : Your Compliance with Internal Policies • Provide additional developer training • Gap analysis • Continuous verification • Augment your development team using advisors or security champions USE CASE Whether you are meeting your internal policies WHAT
© 2019 VERACODE INC. Metrics Used in My Deutsche Bank Programme “What percentage of applications are covered by the AppSec programme? ”What percentage of applications are compliant with the AppSec policy?”
© 2019 VERACODE INC. Findings From Our Customers Forrester TEI report
© 2019 VERACODE INC. SANS AppSec ROI Report https://www.veracode.com/blog/managing-appsec/optimizing-your- appsec-investment-value-stream-mapping
© 2019 VERACODE INC. Investment Decision Making
© 2019 VERACODE INC. Simple Return on Investment Model
© 2019 VERACODE INC. Forrester Total Economic Impact Report https://info.veracode.com/analyst-report-forrester-the- total-economic-impact-study.html
© 2019 VERACODE INC. Research Methodology
© 2019 VERACODE INC. Results Take Time
© 2019 VERACODE INC. Analysis of Benefits
© 2019 VERACODE INC. Doing More with a Smaller Team
© 2019 VERACODE INC. Reduce Costs of 3rd Party Testing
© 2019 VERACODE INC. Analysis of Costs
© 2019 VERACODE INC. Invest in Automation Upfront
© 2019 VERACODE INC. The Journey to a Mature Programme A route to maturity
© 2019 VERACODE INC. Four Stages to a Mature Programme Reactive • Fire fighting mode • Responding to emergencies • Limited scale and scope Baseline • Wider coverage • More comprehensive assessments • Greater measure of control and KPIs Expanded • Fully integrated into the SDLC • AppSec is seen as BAU Advanced • More nuanced in approach to tools and teams • Highly integrated in a DevSecOps approach
© 2019 VERACODE INC. Demonstrate a Vision for Your Programme
© 2019 VERACODE INC. Future Proofing Your Business Invest for the future
© 2019 VERACODE INC. Dev(Sec)Ops and Automation https://dzone.com/articles/devops- trends-2019-what-you-need-to-know
© 2019 VERACODE INC. Security as a Competitive Advantage / Requirement https://www.capgemini.com/2018/05/cybersecurity-the-new- competitive-advantage-for-retailers/
© 2019 VERACODE INC. Top Takeaways to Remember • Fight for more of the budget pie • Plan on expanding the budget pie • Pick metrics that matter to your business • Benchmark against your peers/competitors • Pick solutions that allow automation • Invest upfront to automate to achieve long term ROI • Don’t expect instant gratification !
© 2019 VERACODE INC. Get In Touch • Follow up via the Brighttalk page • Follow up with the point of contact in your registration email • Please do @ me on Twitter : @colindomoney
© 2019 VERACODE INC.

More Related Content

PPTX
Business continuity & disaster recovery planning (BCP & DRP)
Narudom Roongsiriwong, CISSP
 
PDF
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Corporater
 
PDF
The Art of Cloud Auditing - ISACA ID
Eryk Budi Pratama
 
PDF
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
PPT
Chapter 01 software engineering pressman
RohitGoyal183
 
PPT
Developing an Information Security Program
Shauna_Cox
 
PPTX
Adaptive Enterprise Security Architecture
SABSAcourses
 
PDF
Scrum and Agile SDLC 101
Aniruddha Ray (Ani)
 
Business continuity & disaster recovery planning (BCP & DRP)
Narudom Roongsiriwong, CISSP
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Corporater
 
The Art of Cloud Auditing - ISACA ID
Eryk Budi Pratama
 
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Chapter 01 software engineering pressman
RohitGoyal183
 
Developing an Information Security Program
Shauna_Cox
 
Adaptive Enterprise Security Architecture
SABSAcourses
 
Scrum and Agile SDLC 101
Aniruddha Ray (Ani)
 

What's hot (20)

PDF
Security Maturity Models.
Priyanka Aash
 
PDF
PaloAlto Enterprise Security Solution
Prime Infoserv
 
PDF
Security architecture
Duncan Unwin
 
DOCX
Spm unit1
Naga Dinesh
 
PPTX
Cybersecurity Capability Maturity Model (C2M2)
Maganathin Veeraragaloo
 
PDF
NQA ISO 27001 Implementation Guide
NQA
 
PPTX
Enterprise Security Architecture
Priyanka Aash
 
PPT
Software Engineering Code Of Ethics And Professional Practice
Saqib Raza
 
PPTX
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
PPSX
Software Development Life Cycle
Manohar Prasad, PfMP®, PgMP®, PMP®, RMP®, ACP®, CAL®, ACC®, CSP®
 
PPTX
Business continuity
Alka Mehar
 
PPTX
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
PDF
Cybersecurity & Project Management
Fernando Montenegro
 
ODP
Web Application Firewall
Chandrapal Badshah
 
PPT
Application Security
Reggie Niccolo Santos
 
PPT
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PPTX
Security models for security architecture
Vladimir Jirasek
 
PDF
Enterprise Security Architecture
Kris Kimmerle
 
PDF
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
PPT
5.4 it security audit (mauritius)
Corporate Registers Forum
 
Security Maturity Models.
Priyanka Aash
 
PaloAlto Enterprise Security Solution
Prime Infoserv
 
Security architecture
Duncan Unwin
 
Spm unit1
Naga Dinesh
 
Cybersecurity Capability Maturity Model (C2M2)
Maganathin Veeraragaloo
 
NQA ISO 27001 Implementation Guide
NQA
 
Enterprise Security Architecture
Priyanka Aash
 
Software Engineering Code Of Ethics And Professional Practice
Saqib Raza
 
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Software Development Life Cycle
Manohar Prasad, PfMP®, PgMP®, PMP®, RMP®, ACP®, CAL®, ACC®, CSP®
 
Business continuity
Alka Mehar
 
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Cybersecurity & Project Management
Fernando Montenegro
 
Web Application Firewall
Chandrapal Badshah
 
Application Security
Reggie Niccolo Santos
 
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Security models for security architecture
Vladimir Jirasek
 
Enterprise Security Architecture
Kris Kimmerle
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
5.4 it security audit (mauritius)
Corporate Registers Forum
 
Ad

Similar to How to create a business case for expanding your AppSec program (20)

PPTX
Benefits of Developing Web Applications.pptx
mohit579916
 
PDF
Enable and Secure Business Growth in the New Application Economy
CA Technologies
 
PPTX
People & Performance: How to Solve the Biggest Challenge in the Property Mana...
AppFolio
 
PDF
Transformation: Not Only the App But Also the Way We Work
VMware Tanzu
 
PDF
T Bytes Digital customer experience
EGBG Services
 
PDF
How to Choose the Right CRE Technology Partner Webinar.pdf
AppFolio
 
PDF
La Digital Transformation ha un nuovo alleato: Value Stream Management
Emerasoft, solutions to collaborate
 
PPTX
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
Michael Man
 
PDF
Strategies to improve the ROI on your enterprise application
PixelCrayons
 
PPTX
Scaling Your Software Sales: A Guide to the AppDirect Monetization Suite
AppDirect
 
PDF
Digital Strategy with Dyer & Blomfield
Matty Blomfield
 
PDF
Mobile apps presentation - Mobile App Development Services
Rosa Aguiar Catraio
 
PDF
Application Security with NGINX
NGINX, Inc.
 
PDF
CISOSHARE's approach to designing effective cyber security programs
CISOSHARE
 
PPTX
Enhancing QA Strategy to Achieve Agile Quality Engineering
Aspire Systems
 
PPTX
Free Your Data: Accelerating Innovation by Using API's to Unlock Core Systems
MuleSoft
 
PDF
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
PPTX
Aaron Swain at VMware Tanzu Public Sector Connect 2021
VMware Tanzu
 
PPTX
Fixed vs. Variable Expenses: For Your Mobile App Development Project
On Demand Clone
 
PDF
Application Security with NGINX | APAC
NGINX, Inc.
 
Benefits of Developing Web Applications.pptx
mohit579916
 
Enable and Secure Business Growth in the New Application Economy
CA Technologies
 
People & Performance: How to Solve the Biggest Challenge in the Property Mana...
AppFolio
 
Transformation: Not Only the App But Also the Way We Work
VMware Tanzu
 
T Bytes Digital customer experience
EGBG Services
 
How to Choose the Right CRE Technology Partner Webinar.pdf
AppFolio
 
La Digital Transformation ha un nuovo alleato: Value Stream Management
Emerasoft, solutions to collaborate
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
Michael Man
 
Strategies to improve the ROI on your enterprise application
PixelCrayons
 
Scaling Your Software Sales: A Guide to the AppDirect Monetization Suite
AppDirect
 
Digital Strategy with Dyer & Blomfield
Matty Blomfield
 
Mobile apps presentation - Mobile App Development Services
Rosa Aguiar Catraio
 
Application Security with NGINX
NGINX, Inc.
 
CISOSHARE's approach to designing effective cyber security programs
CISOSHARE
 
Enhancing QA Strategy to Achieve Agile Quality Engineering
Aspire Systems
 
Free Your Data: Accelerating Innovation by Using API's to Unlock Core Systems
MuleSoft
 
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
Aaron Swain at VMware Tanzu Public Sector Connect 2021
VMware Tanzu
 
Fixed vs. Variable Expenses: For Your Mobile App Development Project
On Demand Clone
 
Application Security with NGINX | APAC
NGINX, Inc.
 
Ad

Recently uploaded (20)

PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
assetexplorer- product-overview - presentation
nonameist3434
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 

How to create a business case for expanding your AppSec program

  • 1. © 2019 VERACODE INC. How to Create a Business Case for Expanding Your AppSec Program C o l i n D o m o n e y
  • 2. © 2019 VERACODE INC. Introduction Why are we here?
  • 3. © 2019 VERACODE INC. About the Presenter : Colin Domoney @colindomoney • Have run enterprise AppSec programmes • Former Solutions Architect at Veracode enabling customers and evangelising AppSec • DevSecOps consultant advising on how to build secure, safe software in a reliable and repeatable manner • Technologist at heart – interested in all new technology, particularly automation, containers, cloud.
  • 4. © 2019 VERACODE INC. Agenda • Expanding the AppSec Programme at Deutsche Bank • Fighting for Budget • Strategies for Obtaining Budget • Programme Metrics That Matter • Findings from Our Customers • The Journey to a Mature Programme • Future Proofing Your Business
  • 5. © 2019 VERACODE INC. Expanding the AppSec Programme at Deutsche Bank My own story
  • 6. © 2019 VERACODE INC. AppSec Programme at Deutsche Bank • Established as a greenfield initiative in 2012 • Scaled from 150 apps to 1,900 in 3 years • Remediated 500,000 high severity flaws in a single year • Heavy use of automation to reduce manual effort • Staffed by only one AppSec expert • Supported by a small team of analysts
  • 7. © 2019 VERACODE INC. Year One: Inception Year 1 • Scan and triage 150 most critical applications in estate • Reduce critical flaws in applications • Create awareness for AppSec PROGRAMME GOALS • Augmented the value of the manual pen-test programmes by removing ‘low hanging fruit’ • SaaS provided cost benefits due to low setup overheads BUDGET JUSTIFICATION
  • 8. © 2019 VERACODE INC. Year Two: Expansion Year 2 • Expand programme to 750 applications • Used remediation calls to drive flaw closure PROGRAMME GOALS • Drive wholesale cost reduction of manual pen-test programmes while expanding coverage scope • Reduced developer effort by using AppSec experts as coaches BUDGET JUSTIFICATION
  • 9. © 2019 VERACODE INC. Year Three: Remediation Year 3 • Closed over 500,000 high severity flaws • Deployed AppSec experts to achieve aggressive remediation • Created ‘security champions’ to promote security capability PROGRAMME GOALS • Small team provided massive net risk reduction reducing likelihood of costly breaches • Creating internal capability led to long term savings BUDGET JUSTIFICATION
  • 10. © 2019 VERACODE INC. Year Four: Automation Year 4 • Expanded coverage to 2,500 applications • Injected automated scanning into all central CI/CD systems and artefact repositories PROGRAMME GOALS • Leveraged automation at all points to reduce manual labour costs of programme execution • Negotiated beneficial terms with Veracode based on our ability to execute and deliver value BUDGET JUSTIFICATION
  • 11. © 2019 VERACODE INC. Fighting for Budget Getting more of the pie
  • 12. © 2019 VERACODE INC. Getting More of the Pie All other security programmes and projects AppSec programme
  • 13. © 2019 VERACODE INC. Steal Other People’s Pie • Show better business outcomes • Demonstrate higher efficiencies • Demonstrate ROI via consumption • Be more visible than others • Demonstrate cost savings
  • 14. © 2019 VERACODE INC. Get a Bigger Pie • Demonstrate a vision for the future • Attach to a ‘pet project’ • Attach to a burning problem
  • 15. © 2019 VERACODE INC. Strategies for Obtaining Budget It’s not just ROI
  • 16. © 2019 VERACODE INC. “CISO’s Guide to Obtaining Budget” https://securityintelligence.com/series/a-cisos- guide-to-obtaining-budget/ Know Your Audience Know Yourself Cultivate Your Credibility Never Waste a Crisis Exploit Pet Projects
  • 17. © 2019 VERACODE INC. Must Do, Should Do, Could Do https://www.risklens.com/blog/win-the-infosec-budget- cycle-a-short-guide-for-cisos/ • Regulatory and compliance Must Do • Prevent negative impact on your company Should Do • R&D and innovation Could Do
  • 18. © 2019 VERACODE INC. Benchmarking Against Competitors https://www.veracode.com/state-of-software- security-report • Benchmark your company against competitors in your segment • If you’re lagging use this as a driver to invest and close the gap • If you’re leading use this as an opportunity to embark on more ambitious projects
  • 19. © 2019 VERACODE INC. Heard via the Grapevine … “significant costs savings using a centralised solution over ad-hoc on demand siloed testing” “the cost of the programme is insignificant compared to the cost of losing customers” “we were losing customers because we couldn’t demonstrate we were developing secure software”
  • 20. © 2019 VERACODE INC. Programme Metrics That Matter Numbers that count
  • 21. © 2019 VERACODE INC. How To Measure Your Programme https://www.csoonline.com/article/3200270/cybers ecurity-spend-roi-is-the-wrong-metric.html https://www.fairinstitute.org/fair-book https://www.howtomeasureanyth ing.com/cybersecurity/
  • 22. © 2019 VERACODE INC. Use Metrics to Manage Your AppSec Programme https://www.veracode.com/sites/default/files/Resources/Whitepapers/using- metrics-to-manage-your-application-security-program-sans-veracode.pdf
  • 23. © 2019 VERACODE INC. Veracode’s Top Five Programme Metrics
  • 24. © 2019 VERACODE INC. #1 : Your Flaw Density • Allows appropriate focus on expansion of developer training activities • Securing third-party software • Identifying vulnerable components or libraries USE CASE Reports where the most code flaws are seen WHAT
  • 25. © 2019 VERACODE INC. #2 : Your Fix Rate • Allows appropriate focus on expansion of developer training activities • Augment your development team using advisors or security champions • Redirect funds toward remediation activities USE CASE How long it takes you to fix vulnerabilities WHAT
  • 26. © 2019 VERACODE INC. #3 : Your Rank in AppSec Maturity Models • Identify gaps in your programme based on the lessons learned by others and best practices • Expanding your programme to remain competitive USE CASE How do you compare to industry leaders and best practices WHAT
  • 27. © 2019 VERACODE INC. #4 : Your Compliance with Industry Regulations • Code reviews built into the SDLC • Both manual and automated assessments • Controls around 3rd party software • Gap analysis • Continuous verification USE CASE Whether you are meeting relevant industry regulations WHAT
  • 28. © 2019 VERACODE INC. #5 : Your Compliance with Internal Policies • Provide additional developer training • Gap analysis • Continuous verification • Augment your development team using advisors or security champions USE CASE Whether you are meeting your internal policies WHAT
  • 29. © 2019 VERACODE INC. Metrics Used in My Deutsche Bank Programme “What percentage of applications are covered by the AppSec programme? ”What percentage of applications are compliant with the AppSec policy?”
  • 30. © 2019 VERACODE INC. Findings From Our Customers Forrester TEI report
  • 31. © 2019 VERACODE INC. SANS AppSec ROI Report https://www.veracode.com/blog/managing-appsec/optimizing-your- appsec-investment-value-stream-mapping
  • 32. © 2019 VERACODE INC. Investment Decision Making
  • 33. © 2019 VERACODE INC. Simple Return on Investment Model
  • 34. © 2019 VERACODE INC. Forrester Total Economic Impact Report https://info.veracode.com/analyst-report-forrester-the- total-economic-impact-study.html
  • 35. © 2019 VERACODE INC. Research Methodology
  • 36. © 2019 VERACODE INC. Results Take Time
  • 37. © 2019 VERACODE INC. Analysis of Benefits
  • 38. © 2019 VERACODE INC. Doing More with a Smaller Team
  • 39. © 2019 VERACODE INC. Reduce Costs of 3rd Party Testing
  • 40. © 2019 VERACODE INC. Analysis of Costs
  • 41. © 2019 VERACODE INC. Invest in Automation Upfront
  • 42. © 2019 VERACODE INC. The Journey to a Mature Programme A route to maturity
  • 43. © 2019 VERACODE INC. Four Stages to a Mature Programme Reactive • Fire fighting mode • Responding to emergencies • Limited scale and scope Baseline • Wider coverage • More comprehensive assessments • Greater measure of control and KPIs Expanded • Fully integrated into the SDLC • AppSec is seen as BAU Advanced • More nuanced in approach to tools and teams • Highly integrated in a DevSecOps approach
  • 44. © 2019 VERACODE INC. Demonstrate a Vision for Your Programme
  • 45. © 2019 VERACODE INC. Future Proofing Your Business Invest for the future
  • 46. © 2019 VERACODE INC. Dev(Sec)Ops and Automation https://dzone.com/articles/devops- trends-2019-what-you-need-to-know
  • 47. © 2019 VERACODE INC. Security as a Competitive Advantage / Requirement https://www.capgemini.com/2018/05/cybersecurity-the-new- competitive-advantage-for-retailers/
  • 48. © 2019 VERACODE INC. Top Takeaways to Remember • Fight for more of the budget pie • Plan on expanding the budget pie • Pick metrics that matter to your business • Benchmark against your peers/competitors • Pick solutions that allow automation • Invest upfront to automate to achieve long term ROI • Don’t expect instant gratification !
  • 49. © 2019 VERACODE INC. Get In Touch • Follow up via the Brighttalk page • Follow up with the point of contact in your registration email • Please do @ me on Twitter : @colindomoney