Your application security program is up and running. It’s humming along. Vulnerabilities are down. Engineers are getting ahead of the security issues that are impacting their application, and things are looking great. This is the point where most application security leaders begin to think about what’s next. Although there will be the desire to just keep going with what the team is doing, security and attackers do not stay still. There is an ever-evolving landscape of security issues, and attacks only get better.
Whereas fighting vulnerabilities should be the organization’s primary focus, your program should be designed in such a way that the regular influx of vulnerabilities should not be cause for alarm. Your program will have the people, process, and technology in place to manage the vulnerabilities to closure within the timelines established by the organization. Even when a zero-day vulnerability comes in that doesn’t have a patch that can be deployed to resolve, you have built the communication channels, you know where your data and applications are, and you have the appropriate run-time protection tools in place to provide mitigation until a fix can be deployed.