9 Continuously improving the program

 

This chapter covers

  • Exploring modern and advanced techniques for application security
  • Supporting future changes in the application security space
  • Avoiding common pitfalls with an application security program

Your application security program is up and running. It’s humming along. Vulnerabilities are down. Engineers are getting ahead of the security issues that are impacting their application, and things are looking great. This is the point where most application security leaders begin to think about what’s next. Although there will be the desire to just keep going with what the team is doing, security and attackers do not stay still. There is an ever-evolving landscape of security issues, and attacks only get better.

Whereas fighting vulnerabilities should be the organization’s primary focus, your program should be designed in such a way that the regular influx of vulnerabilities should not be cause for alarm. Your program will have the people, process, and technology in place to manage the vulnerabilities to closure within the timelines established by the organization. Even when a zero-day vulnerability comes in that doesn’t have a patch that can be deployed to resolve, you have built the communication channels, you know where your data and applications are, and you have the appropriate run-time protection tools in place to provide mitigation until a fix can be deployed.

9.1 Keeping ahead of the attacker

9.1.1 MITRE ATT&CK

9.1.2 Cyber Kill Chain

9.2 Threat catalogs

9.2.1 Applying the OWASP Top Ten

9.2.2 Applying the MITRE CWE Top 25

9.3 Staying ahead of engineering

9.3.1 Keeping up with the coding languages

9.3.2 Keeping up with the technology changes

9.3.3 When hiring and training aren’t enough

9.4 Stop chasing the shiny new tool

9.4.1 Use a capability matrix

9.4.2 Managing the tool and vendor

9.4.3 Buy the shiny new tool