Stakeholders and Allies: Amplifying Your Application Security Program


Authors:   Warren Kopp


Building an application security program is hard. Application Security teams struggle to grow, be effective, or get budget. Why? They’re missing the collaboration. You face resistance from developers, they don’t want to change their practices. You face resistance from testers, this isn’t in their test plans. You face resistance from leadership, SAST costs how much?! Overcoming this adversity depends on growing your communication and collaboration skills. It’s key to learn how to identify stakeholders for AppSec output. Who needs to know about your metrics? Why do they need to know that? Is it Marketing, to help sell your software, your posture, your commitment? Is it Compliance, to know about all the hard work that gets done building secure defaults? Is it Operations, so they know how to report new vulnerabilities? These are only a few examples of where in your company you might find new allies.At every level in an organization there are people who need to know about Application Security who aren’t currently even aware of the concept. And they need your help to get there. Attendees will learn about sharing their hard work with the right people across their organization. They will learn about how to find the right people for their message, and about building the right message for the audience. They will learn how to solicit feedback and build actionable plans and goals to address it.It is on the shoulders of Application Security Teams to reach out and build a community around their goals. This takes a lot of meetings, a lot of compromise, and quite often a lot of doing “non-security” work. But it builds a stronger team that breaks down existing silos. It builds a more effective organization that can adapt to changes in customers, markets, and technologies. Building a community around application security amplifies effort, but more importantly, strengthens the output. After building your community you will learn about vulnerabilities sooner, address questions quicker, and support your customers better, all while delivering more secure software.