Leadership Framework for Building Elite Teams
Four Reasons Why You Need a Third-Party Security Assessment
Information Security Against Cyber Attacks
The Technology Project Life Cycle: Lessons Learned
Application Security and its Many Challenges
Kirk Havens, Chief Security Information Officer, GoHealth
Turning AppSec on its head
Derek Fisher, Vice President of Application Security, Envestnet
Implementing a Cybersecurity Program - The Journey of True...
Maurice Edwards, Senior Vice-President Enterprise Risk, Mattress Firm
Information Governance = Data Governance + Disclosure
Tera Ladner, Director, Information Governance, Aflac
Thank you for Subscribing to CIO Applications Weekly Brief
Application Security Fundamentals and Coaching Basketball
Lee Bailey,Director, Information Security & Compliance, Tupperware Brands
A question: what are application security fundamentals and how does a technology leader explain them to a project manager or a developer?Two great questions.In order to answer these questions we will make two assumptions for the remainder of the article. The first assumption is our organization is just starting to develop structure around application security. The second assumption is there are limited people, technology, and financial resources to implement the maturing application security.
The fundamentals of application security, which we can explain to any project manager or developer, are:
b. Engage all stakeholders early.
c. Understand then address risks associated with the application and the data.
d. Re-use approved technology blueprints or processes whenever possible.
Notice these application security fundamentals are not technical controls or detailed processes focused on software development. Instead, they are people and process driven which all team members understand. They are also not a single checklist a developer can apply to every application. These application security fundamentals are leadership focused with the goals of (1) aligning the development & project management teams with the information security & privacy teams, (2) raising security and privacy awareness, and (3) providing opportunities to standardize and improve SSDLC processes for future development projects.
If there is organizational friction then the project will slow down and escalation will occur. If the project slows down and escalations occur then everyone will be distracted, which may cause missed deadlines OR longer work hours to make up the time
In practice and in the spirit of Coach Wooden, “…if the team doesn’t follow these fundamentals then there will be organizational friction (i.e. tension, blame or “blisters”). If there is organizational friction then the project will slow down and escalation will occur. If the project slows down and escalations occur then everyone will be distracted, which may cause missed deadlines OR longer work hours to make up the time. It may also cause the team to push through a solution that does not address the risks or require leadership to accept risk the team could address.
These are the application security fundamentals from a leadership perspective. The expectation is the SSDLC will mature and the team will add technical controls with detailed processes. The following checklist is a reference for organizations building out Secure Application Development capabilities.