Making the Business Case

In the world of application security, our primary goal is this: securing software applications at the lowest cost.

That's easy enough to say, but developing a low-cost security plan that doesn't create more problems than it solves is difficult. Security is costly, especially the talent involved. Fortunately, a little forward thinking and strategy built around the latest solutions can go a long way.

As costs of infrastructure security diminish due to cloud migration, budgets are able to make room for application security spends, true. But it's also a fact that software is becoming more complex. Not to mention, since organizations are more aware of vulnerability risks, we're also using more tools to scan more code. All of this ends up on the plates of a handful of AppSec engineers, who understandably will balk.

Your business case shouldn't leave out how "more AppSec" will be handled.

How heavily you staff your security team(s) and whether you decide to build or buy a platform are important financial decisions that ought to come after you've assessed the workload based on your product and SDLC, and determined how to scale to that demand.

This is where AppSecOps comes in. We're proponents of any methodology that helps teams do more with less. In this case, fewer personnel, the biggest driver of cost. An AppSecOps platform takes in the findings from testing and scanning tools across the DevSecOps pipeline, prioritizes them, and makes remediation recommendations. And a good platform will blend in the automation and compliance functions your team already relies on.

Thus, a smaller AppSec team can be scaled up to secure software at the ridiculous pace it's developed today, without major tooling changes, serious turnover, or dramatic budget increases. Win, win, win.

The Purple Book's Chapter 7 looks to change the thinking around how AppSec programs are designed and outfit, in order to help you make a compelling business case to your fellow leadership. Thanks goes to ArmorCode CEO Nikhil Gupta and Snap Finance CSO Upendra Mardikar for the insights shared therein.

We invite you to be a part of The Purple Book's growing body of Coauthors by sharing your knowledge:?thepurplebook.club/contribute-content