A fundamental point within the secure development process, approaching Governance in application security means talking about building a structured and analyzable management model. And this topic, which is very important – but often underestimated in the daily lives of those who live AppSec, was the starting point for a webinar that Conviso held on June 28, with the participation of Jederson Freitas, Head of Information Security at Blu and Wagner Elias, CEO of Conviso. The content was held in Portuguese.
You can also listen to this article:
“It is important for us to be able to approach these topics so that people can evolve their security strategies and be more prepared for challenges”, reckoned Jederson, at the beginning of the chat.
As for the concept of Governance in AppSec, he summarizes: “Governance is the strategy, and management is a more tactical context. It is necessary to understand what a business needs to have resilience, to expose its services in its market, get the bigger picture regarding laws and regulations – it is crucial to know the context. And, well, the context is very challenging – and it all starts with Governance,” he said.
The specialists also chatted about tpics such as Appsec tools and the importance of creating an application security culture in teamswere also addressed.
Vulnerability versus Risks
A topic addressed throughout the conversation was the issue of vulnerability versus risk. According to Wagner and Jederson, a common challenge for teams is not knowing exactly how to calculate risk. “Vulnerability without risk means nothing,” stated Wagner.
Jederson agrees: “It is necessary to have an inventory, classify the relevance of these applications, know the level of exposure – and from there, it is possible to think about risk”.
Governance in AppSec: the role of tools
During the broadcast, a topic that generated many doubts among subscribers was the tools.
“Many AppSec tools are available, but I see that the Appsec process and culture must be mature to think about investing in paid security tools – what do you think?”, asked one of the viewers. The speakers agreed that when it comes to tools, it’s not a matter of choosing a specific tool – but instead, of finding the tools that are better for each job.
“There is no perfect math that will work for all companies, so the best scenario is to test”, was the advice of Jéderson, who reported having seen cases in which a tool that worked very well in a company, did not have the same success. in another. After all, if a tool generates a huge volume of false positives, it quickly loses credibility, as exemplified by the experts.
“And it is worth remembering that the tests need to be carried out together with the development teams”, reinforced Blu’s Head of Information Security. Something we always defend at Conviso is that tools are important in AppSec, but they shouldn’t be used as a silver bullet when it comes to implementing security in development teams.
Check also: Do tools solve AppSec problems?
Governance According to OWASP SAMM
When answering a question about bibliographic references when the topic is Governance in AppSec, the CEO of Conviso reminded subscribers about the Software Assurance Maturity Model (SAMM) – a project in the portfolio of the Open Web Application Security Project (OWASP) that defines a series of practices aimed at improving software security.
Initially developed by Pravir Chandra in 2009, the model proposes a set of security practices that address the entire software lifecycle, including development and acquisition, and is technology and process independent. It is intentionally built to be evolutionary and establishes a 3-tier maturity model for each risk-oriented practice.
On our blog, we have two articles on it:
Governance according to SAMM: Policies and Conformities in Application Security
Governance according to SAMM: Strategy and Metrics in Application Security
How Conviso Platform can help you with AppSec Governance
As it became clear throughout the webinar, Governance is a fundamental point within the Secure Development Process – it is, in fact, an essential concept to any activity that needs effective management.
One of the goals of the Conviso Platform – which was created based on SAMM – is to empower development teams by visualizing and creating a plan that establishes improvement points in the secure development process.
After all, without a well-defined plan, developers will face difficulties in executing a strategy, and performing tasks in a disorganized way lead to rework and wasted time.
In this context, the Conviso Platform, with its five products, operates in all stages of secure development and helps to create an effective plan, enabling the manager to achieve software security objectives.
This occurs, for example, through the asset register: the platform makes it possible to define criticality for each of the assets that will be managed. Thus, we have the possibility to better plan how we will act on each of the identified vulnerabilities.
Learn all that Conviso Platform can do for your company by checking our new website!