AppSec advice on the internet often makes me go "that sounds great, but it would never work for me". In this edition, we try to build a framework to analyze what kinds of advice may work for you.
In house development v/s outsourcing play's a crucial role. Most of the ops-first company relies on offshore development and security is not taken into consideration during contract negotiations. Hence driving security initiatives are tough. Tech-first companies prefer in-house development which provides flexibility for new initiatives and provides organic environment for automation. Also, compliance and regulation plays a big role which sets low bar requirements (for ex - security maturity is bare minimum in medical devices; we need more regulation like GDPR across the globe to change this attitude) in ops-first companies which hinders the motivation. Where as security is a market differentiator in tech-first companies and drives product revenue. This in-turn drives security budget. So, alligning with strategic driving factors of an organization will play a role in the success of AppSec program initiatives.
In house development v/s outsourcing play's a crucial role. Most of the ops-first company relies on offshore development and security is not taken into consideration during contract negotiations. Hence driving security initiatives are tough. Tech-first companies prefer in-house development which provides flexibility for new initiatives and provides organic environment for automation. Also, compliance and regulation plays a big role which sets low bar requirements (for ex - security maturity is bare minimum in medical devices; we need more regulation like GDPR across the globe to change this attitude) in ops-first companies which hinders the motivation. Where as security is a market differentiator in tech-first companies and drives product revenue. This in-turn drives security budget. So, alligning with strategic driving factors of an organization will play a role in the success of AppSec program initiatives.