chapter seven

7 Building a roadmap

This chapter covers

How to determine the current application security posture of an organization
Identifying the gaps and the immediate needs of the organization
Developing a roadmap that addresses the short-term and long-term goals.

Congratulations! You’ve been put in charge of the application security program at an organization. Your mission, should you choose to accept it, is to bring secure software development to the organization with minimal budget and a small team. Where do you begin? A lot of this depends on whether you are starting from scratch or is there already an existing program that exists. For the remainder of this chapter, I will assume that you are starting from scratch. Many of the concepts hold regardless.

7.1 Getting the current security posture

7.1.1 Going on tour

7.1.2 What tools exist?

7.1.3 What vulnerabilities do you have?

7.1.4 What additional information is available?

7.2 Understanding the organizations security goals

7.2.1 The organization’s goals

7.2.2 The application security goals

7.2.3 Aligning the business and security goals

7.3 Identifying the gaps

7.3.1 Finding the immediate gaps

7.3.2 Input into the gap analysis

7.3.3 What to do with the gap analysis

7.4 Sample application security roadmap

7.4.1 Secure engineering education

7.4.2 Educating the application security team

7.4.3 Application security tools roadmap

7.4.4 Aligning engineering and security roadmaps

7.4.5 Building for the future

7.5 Summary