#35 - Setting Up an Application Security Program

On this episode of CISO Tradecraft, you can learn how to build an Application Security program.  Start with Key Questions for Security IT Operations Application Development/Engineering Groups Identify Key Activities Asset Discovery Asset Risk Prioritization Mapping Assets Against Compliance Requirements Setting up a Communications Plan Perform Application Security Testing Activities SAST DAST Vulnerability Scanners Software Composition Analysis Secrets Scanning Cloud Security Scanning Measure and Improve Current Vulnerability Posture through metrics The number of vulnerabilities present in an application The time to fix vulnerabilities The remediation rate of vulnerabilities The time vulnerabilities remain open Defect Density - number of vulnerabilities per server We also recommend reading the Microsoft Security Developer Life Cycle Practices Link For more great ideas on setting up an application security program please read this amazing guide from WhiteHat Security Link If you would like to improve cloud security scanning by automating Infrastructure as Code checks, then please check out Indeni CloudRail Link