Untangling Enterprise AppSec with Developer Trust

Here are some tips to build an environment in which developers can do their best work while naturally following security goals and standards.

Software-Security

The struggle to build bridges between development and security teams is well-known and understandably hard to solve. After all, developers simply want to develop, and AppSec teams place a roadblock on delivery, wanting to ensure security of the application due to rising application security risk.

Regardless, the urgency to strengthen the bond between developers and AppSec teams has never been higher, as digital transformation is bringing application risk to the top of the CISO’s and board of directors’ list of concerns. Here are some road-tested tips to build an environment in which developers can do their best work while naturally following security goals and standards.

The current AppSec landscape

While it’s clear that a collaborative approach between the developers and AppSec teams is needed, our research shows divided views on who should be in charge of establishing AppSec policies. While 56% of CISOs think it’s their role, 41% see it as a task for developers, and 38% believe it should be the AppSec teams. Any ambiguity in the ownership of AppSec can result in policy gaps, making applications more susceptible to cyber-threats.

Opinions on who should ensure developers are trained in AppSec best practices are also split. About half of the CISOs think the AppSec teams should lead training, whereas the other half advocate for self-training methods like interactive courses. Given the complexities of the current threat landscape, a collaborative approach between developers and AppSec teams offers a more effective way to safeguard applications and the organization. 

Top tactics for building developer trust in AppSec

      • Clearly Define KPIs: Before you can start with any cybersecurity effort, you need to clearly know what success looks like. No matter how good your efforts are, developers will never be perfect. For that reason, you need to define the key performance indicators (KPIs) of success: What is a reasonable number of vulnerabilities upon first scan of an application? What is a reasonable mitigation time? Are vulnerability rates decreasing year over year or quarter over quarter? Is mitigation time decreasing? You may have your own KPIs, so you must clearly define and socialize them, then be able to track them over time in order to see meaningful success.
      • Provide required application security training: Beyond training on security processes, developers should be provided with an engaging way of learning to write secure code and look for new threat types emerging within the field of application security. Look for solutions that allow developers to learn within their favorite integrated development environments in order to build stronger application security from the very first line of code.
      • Identify testing tools to integrate into the process: To provide consistency across your program, you’re likely going to automate the testing process. There are clearly going to be a variety of tools required to verify the security of any software created. Identify the tools that appropriately implement all aspects of software security that is relevant to your process – and that check for application vulnerabilities in any APIs, infrastructure-as-code, and open-source code that are included in the application.
      • Reduce alert fatigue through fidelity and consolidation: In the past decade, teams working in every area of cybersecurity and information security have experienced tool proliferation with an exponential increase in blinking red lights (alerts) followed by loss of process efficiency. Development and AppSec teams are no exceptions. Every security and development leader today are asking for both consolidation of vulnerability alerts and increased fidelity of alerts, reducing false positives and presenting the most critical vulnerabilities – those that can open the door to the worst types of data breaches and attacks – as the highest priority. As mentioned above, an integrated development environment with critical AppSec testing capabilities built into workflows will go a long way to improving developer experience and adoption of AppSec standards.

You’re only as strong as your weakest link in the AppSec chain

Team alignment and trust are crucial for a successful AppSec program. Alignment and trust between CISOs, AppSec professionals, and developers are necessary to identify and address vulnerabilities that could impact the business.

For enterprises, this can be even more challenging due to volume and scale; large development teams, billions of lines of code, hundreds of applications to release, and competing priorities. Settling for good-enough solutions is not an option. There is too much at stake.

Applying these tactics and best practices to your application development and application security processes will go a long way toward improving results and building better cross-team collaboration. In the end, this results in more consistently secure code and significantly reduced AppSec risk for your organization.

Peter Chestna

Peter Chestna serves as North American CISO for Checkmarx, helping security and development teams build DevSecTrust by securing every phase of development with its cloud-native platform. Checkmarx proudly serves 1,800 customers, including 60% of Fortune 100.


Peter Chestna serves as North American CISO for Checkmarx, helping security and development teams build DevSecTrust by securing every phase of development with its cloud-native platform. Checkmarx proudly serves 1,800 customers, including 60% of Fortune 100.