Application Security

Structuring Governance with AppSec Flow

The AppSec market has had a high visibility in recent years. As a consequence, we have seen the emergence of new tools and platforms that seek to bring greater control to managers.

However, we have also seen many platforms that are restructured and presented as a tool that delivers the most diverse solutions, in a generic way and without showing what basis of understanding their solutions are sustained on.

At Conviso, we don’t believe in that. We understand that tools and platforms must be built with a purpose, seeking to solve a problem and delivering the best solution within a solid and measurable knowledge structure.

In this context, we believe that seeking support in a method, or structured methodology and that its result has been tested over the course of the process is much stronger in its structure. 

With that in mind, AppSec Flow has its foundations strongly based on methodologies and processes that focus on improving the safe development process, and one of these standards is SAMM. 

ALSO READ: AppSec Flow – A complete DevSecOps platform

What is SAMM?

SAMM is a model developed by OWASP (Open Web Application Security Project) which its main objective is to increase the degree of security in applications through education, models and standards to be followed.

To understand the practices of the OWASP SAMM Framework, we are producing a series of very detailed articles on the subject, follow by clicking here.

How Governance is supported by AppSec Flow

Governance is a fundamental point within the Secure Development Process, not only in this case but, Governance is an important concept to any activity that needs efficient and effective management.

Measuring and structuring the Strategy

Software maturity can be seen as the evolution in many activities, and with different concerns. 

The goal of AppSec Flow as a management platform is to help visualize and create a plan that can help visualize improvement points within the process. We understand that without a well-defined plan, we will have great difficulties in executing our strategy and performing unstructured tasks would be a waste of time.

So, the goal of AppSec Flow is to help create an efficient and effective plan that allows the manager to achieve the software security objectives.

Thus, we can say that AppSec Flow acts directly to assist in this task when, through the asset registry, it makes it possible to define criticalities to each of the assets that will be managed.

When we can have the criticality identified for the assets, we have the possibility to better plan how we will act in each of the identified vulnerabilities. 

In this way, we can give the correct and necessary attention to the vulnerability without taking the time to correct a critical vulnerability in a low priority asset for the business, while an average vulnerability in a critical asset was left in the background. 

This view offered by AppSec Flow allows the manager to have proper control over their assets and how they should be viewed in the correction process.

It is still part of good Governance to ensure that the knowledge that is acquired is used within the company itself, this is possible by creating playbooks and specific documentation of the corrections made, thus generating a history that is stored on the platform for future research.  This generates for the company a knowledge that would otherwise be lost.

Prioritizing assets and their corrections is not enough if we do not have how to follow the progress and evolution in what we are looking for. 

For that, AppSec Flow presents in its Dashboard a series of information that will facilitate the visualization of data such as volume of vulnerabilities, trained people and many others.

Through the information extracted from the analyses, it is possible to create playbooks that will help in the visualization of KPIs. 

As we put in our article about the importance of communication, AppSec Flow allows a constant and direct exchange between team members, enabling the exchange of experiences and process improvements.

This way, we can help managers to better visualize the processes in their area.

What are your policies and legal requirements?

When talking about Governance, we talk about building a structured and an usable management model. 

In this way, we have to rely on platforms that help us to maintain this planning, otherwise we will only have a good desire to manage our structure without an adequate form of plan validation. 

AppSec Flow can ensure that when thinking of all requirements, whether legal, contractual or even SLA, these are monitored and kept under control. 

Likewise, internal and external security standards must be conducted to ensure compliance, and that this compliance is aligned with the business objectives of the company.

Again, through AppSec Flow it is possible for the team to create playbooks that describe the requirements to be followed and how they should be working within software security.

Once these documents describe the structure, it’s possible to link them to the analysis ensuring that the recommendations and guidelines will be followed even if the developer has no direct knowledge. In the same way, playbooks can create prescriptive testing and validation guidelines that speed up the team’s day-to-day applicability.

In addition to all these points, playbooks can serve as a documentation of all regulations that must be followed by development teams, speeding up the validation and testing process.

Publishing Knowledge

Documenting, creating directives and demanding best practices is useless when we do not have a well-trained team armed with the best information.

Within the Governance process, following this evolution, or even having information on how we can get ahead of some problems is fundamental. 

Within AppSec Flow we can present data that will deliver control over what the development teams’ understanding and learning needs are, making it possible for the manager to create their training plans.

It is possible to focus on creating the conditions for teams to have all the capacity to execute their activities in the best way possible, without the need of  interference at every moment from the managers.

One of the most recurring themes among teams is that there is a need to maintain a constant training cycle that can deliver knowledge about best practices and safety awareness to teams.

At each cycle, the organization must create a solid knowledge base and this enables the distribution of knowledge not only among developers, but also among other areas of the company.

Through the AppSec Flow documentation structure, it is possible to build documentation (playbooks) that can be the basis for an onboarding process, which will be done in a structured way.

In the same way, the platform can deliver to developers the possibility of having access to best practice of development guides, created and maintained within the platform itself. The platform itself is a direct communication channel between all the teams and allows the exchange of experiences and knowledge.

We believe that a well structured platform is a great step in the search for success in building and maintaining an efficient secure development process.

Nova call to action
About author

Articles

Over 15 years of experience in Information Security and Applications, graduated in Data Processing worked as a Professor and participated actively as an instructor on trainings to more than 6000 developers and IT teams. Father of two daughters and trader on free time.
Related posts
Application Security

Phishing scam using Conviso's name: don't fall for it!

In the past few days, a few customers have reported to us that they have been receiving phishing…
Read more
Application Security

Webinar: PIX and the Secure Development

Much has been discussed about PIX, the new digital and instant Brazilian payment system developed by…
Read more
Application Security

Which topics should an AppSec Training Contemplate?

The development market seems to be becoming more and more aware of the need for Application Security…
Read more

Deixe um comentário