Three Actionable Initiatives to Improve Your Application Security Posture Foundation.

When I first looked at our enterprise through the lens of a cybersecurity product manager, I questioned what I could influence. The situation was grim, with multiple business units doing their own thing, building their controls, and engineers deploying code across the organization with inconsistent security controls. Most teams I interviewed focused on delivering value for their business unit; security was often an afterthought or taken on as tech debt.??

Independently, any team was doing everything possible to protect its application. But who was protecting the enterprise? How was security information reaching business leaders so that they could make data-driven decisions?

With many unknown people, processes, and technology, the first step is investigating the situation.

Initiative 1: Build Your Internal Network?

"...forcing security upon your partners is like telling your kids to eat their dinner before dessert."

When building an application security posture, the most essential resource is the people developing, operating, and paying for the applications you protect. The partners you work with are the first part of the foundation of your application security posture. For a product manager, it's imperative to learn about their problems, concerns, desires, and experiences. As you grow your application security posture practice, these partners will provide input into your overall vision and strategy. Acknowledging concerns, addressing problems, and providing vision to your partners kindles communication and builds a relationship between you and your partners. Of course, we all know we must support security, but forcing security upon your partners is like telling your kids to eat their dinner before dessert. Security must be an enabler to your partners so they can integrate frictionlessly, operate faster, and deliver value to your customers.

Initiative 2: Discovering the Application Lifecycle Journey Map

It's time to map out the application journey lifecycle using your new relationships with people in your organization. To be clear, this is not your CI/CD pipeline. The application journey lifecycle shows the path an application takes from its birth through evolution and eventually ends with its deprecation. Your organization may only have one application, a few, or maybe thousands. Each organization will be different.??

Along with this discovery, it will be essential to identify development cadences, uncover how releases happen, and ask how applications get promoted through environments. There should be plenty of questions to ask. Some additional common questions I ask are: What security processes are happening here? Are they automated or gates? What security control are they covering???

When you map out all the processes you have been discovering, you will have a starting point for an application deployment threat model—looking at how an application goes from developer environment -> source code repository -> build process -> artifact repository -> operational environment. This map is a collection of processes used in your organization that are overlayed with security interactions.?

?

In addition, this map should give you insight into the engineering journey. Each step is a point where security could be a bottleneck. Most of an application's lifecycle is progressed by developers deciding to move the code along the process. It makes sense that, in many cases, it's the developers implementing a security tool. For monitors, any correction item that comes from them must be inserted into the product backlog. The development team is again involved with scoping, prioritizing, and scheduling the story to close the security issue.??

Initiative 3: Identifying your Application Asset Library

Now that you have identified your partners and mapped the application lifecycle journey, it's time to take inventory of the applications your organization protects. Knowing your assets is foundational in almost every security endeavor you undertake. Your application estate also provides the scope of what you need to protect. For every one of these applications, the challenge is knowing they exist, when they change, and when they are removed. Your application asset library will be your best friend.??

But before you think that just knowing you have an application asset library exists is enough to support your application security posture, consider asking some questions. Is the catalog complete? Does it tell me enough information about each application? If I found a security issue in an application, could I find the owner of the application in less than 5 minutes? What other applications depend on this application??

Your application asset library is your foundational tool for determining the application assets you will be measuring their risk posture. To be able to know your risks, it's imperative to really know your applications.?

Final notes

Application Security posture monitors your application portfolio's risk so executives can make data-driven decisions. The foundation of monitoring your application security posture is built on people, processes, and technologies. A product manager of cybersecurity needs to have a working relationship with your application teams, security teams, and value stream owners to help you securely deliver customer value. In addition, you must know the processes an application has to go through to be created, evolve, and be deprecated. Finally, once you know your people and processes, you must know the applications you protect. In a modern enterprise, most of these tools exist to help you build your foundation. Make sure to discover any cracks in the foundation and fill them in before you attempt to monitor your application security posture continuously. I find it nearly impossible to measure risk if every variable is unknown.??