7 Building a roadmap

 

This chapter covers

  • Determining an organization’s current application security posture
  • Identifying the gaps and the immediate needs of the organization
  • Developing a roadmap that addresses the short- and long-term goals

Congratulations! You’ve been put in charge of the application security program at an organization. Your mission, should you choose to accept it, is to bring secure software development to the organization with minimal budget and a small team. Where do you begin? A lot of this depends on whether you are starting from scratch or whether there’s a program that already exists. For the remainder of this chapter, I will assume that you are starting from scratch. Many of the concepts hold regardless.

7.1 Getting the current security posture

7.1.1 Going on tour

7.1.2 What tools exist?

7.1.3 What vulnerabilities do you have?

7.1.4 What additional information is available?

7.2 Understanding the organization’s security goals

7.2.1 The organization’s goals

7.2.2 The application security goals

7.2.3 Aligning the business and security goals

7.3 Identifying the gaps

7.3.1 Finding the immediate gaps

7.3.2 Input into the gap analysis

7.3.3 What to do with the gap analysis

7.4 Sample application security roadmap

7.4.1 Secure engineering education

7.4.2 Educating the application security team

7.4.3 Application security tools roadmap

sitemap