The AppSec Framework V1.

0 - 20190301
 @gritche_

Governance of an AppSec Program Build the Program Run the Program Check Efficience
Build and run an AppSec Program Manage the program Policy Review Security
AppSec Policy
with KPI / KRI Process Review Pipeline Review

Manage the
S-SDLC Policy
Security Pipeline
Improve the Program

Security Measure of maturity

Application Scoring Gap Mitigation Awareness
Shift Left (OpenSAMM – BSIMM)
by Design

Defining the AppSec Program

What to integrate security in apps? Defining Security Model Defining Security Processes Choosing Technology/Standard

Automation On-premise Environment Patch Management

Configuration
Management
Service Provider

Vulnerability App. Vuln.: SAST - DAST -

Multi-Cloud Environment Change Management
Management IAST - RASP

Standards: ISO2700x – SANS -

Container Environment Incident Management Security Accreditation
OWASP - NIST – ANSSI

The Security Pipeline

How to implement security in SDLC?
Requirements Design Development Test Deployment Production

Use of external Recurrent Pentest

DevSec Awareness DevSec Awareness Code Audit Hardening
standards Bug Bounty

Writing of internal Vulnerability

Threat Modeling Design Review Vulnerability Audit Vulnerability Audit
guidelines Management

Privacy by Design App Protection

Risk Analysis Code Review Pentest Pentest
and by Default SOC Deployment

Who is concerned? Why deploying an AppSec Program?

 CISO: He is the keystone of the security system and he defines the best
strategy for an optimal level of security including the application
perimeter. The CISO is the conductor of the AppSec program.
 Software experts: As they design, code and build software, they are at
the heart of the AppSec program. They are accountable with the
quality and the security of software.
 Infrastructure experts: As they mainly deal with availability,
performance and scaling for the application, they historically practice
IT security for infrastructure and they now partner with software
experts to guarantee Ops.
 CIO: Head of the IT strategy and manager of the software experts and
infrastructure experts, he needs to be the principle sponsor of the
AppSec program and the main partner of the CISO.
Deploying an AppSec program give sense for digital security with
applying an holistic model for security and achieve the goal of
“Security by Design”. Such a program is iterative and need to evolve
according to the maturity of the organization.
You don’t have to be DevSecOps to apply the “Shift Security to the
Left” paradigm and to practice automation in your digital factory.
An AppSec program combines People (training and organization),
Process (SDLC, risk management, guidelines and control) and
Technology (tools and frameworks).

Level 3 – Leading Maturity

 The AppSec program is deployed to all

Level 0 – Starting Maturity
 Application Security may be practiced
without formalized best practices or
defined policies
 Not all stakeholders are awareness about
security, neither involved in the approach
Level 2 – Enhanced Maturity applications and the whole IS
 Manage the program with KPI / KRI
 Gain experience from a first perimeter  Engage iterations with PDCA cycles to
Level 1 – Minimal Maturity and enhance the AppSec program stick to evolutions of the IS
 Improve policies, the organization of
 Know your different assets: application security and the security pipeline
mapping, development methods, people,
 The AppSec program is deployed in a
software technologies, existing tools…
larger scope of applications and
 Write a first edition of policies development teams
 Define and implement security processes
 Define the essentials tools to design a
first security pipeline

How to kick-off an AppSec Program in 3 steps?

1 Prepare your program
2 Prepare your organization
3 Play the first iteration Think big, start small, scale fast!

 Asset all existing practices  Identify Security Champions in  Work with the Security Champions to
operational teams and work with them implement: Getting started is a difficult step and
 Define a first achievable target and the running an AppSec Program is a long
path to quick-win: to improve the first step  The first edition of the AppSec way. Be ambitious: iterate with
 Write a first edition of your AppSec  Introduce the AppSec Policy to the Policy better processes, more tools if
Policy defining why and what you teams of the identified perimeter  The chosen security models and necessary and extension of the
want to do  Train the stakeholders: processes perimeter.
 Define the essentials items of the  DevSec awareness for developers  The identified tools of Security
Security Pipeline  Automation for infrastructure Pipeline
 Identify the perimeter to play the experts
Special thanks for reviewing to
first iteration: application and  And let’s play the new game!  Ludo_L_  Twit_No_Lu33Y
teams  YassirKazar  CoteNicolas