Using Benchmarks to Make the Case for AppSec

In a recent Veracode webinar on the subject of making the business case for AppSec, Colin Domoney, DevSecOps consultant, introduced the idea of using benchmarking to rally the troops around your AppSec cause. He says, “What you can do is you can show where your organization sits relative to other organizations and then your peers. If you're lagging, that's probably a good reason to further invest. If you're leading, perhaps you can use that opportunity to catch up on some of your more ambitious projects. We use benchmarking quite frequently. It's quite a useful task to undertake.”

Ultimately, the value of benchmarks is two-fold; you can see, as Colin says, “where you’re lagging” and use that data to make the case for more budget. But it also strengthens your ask by giving it priorities and a clear road map. For instance, you could say, “we need more AppSec budget,” but your argument is more powerful if you can say, “OWASP’s maturity model recommends automating security testing,” or “most organizations in the retail industry are testing for security monthly.”

If you’re looking for some AppSec benchmarking data, we recommend considering the following:

OWASP’s OpenSAMM Maturity Model: OWASP’s Software Assurance Maturity Model (SAMM) is “an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:

• Evaluating an organization’s existing software security practices.
• Building a balanced software security assurance program in well-defined iterations.
• Demonstrating concrete improvements to a security assurance program.
• Defining and measuring security-related activities throughout an organization.”

At the highest level, SAMM defines four critical business functions related to software development. Within each business function are three security practices, and within each practice there are three levels of maturity, each with related activities. For instance, under the Business Function “Verification,” there is a security practice called “Implementation review,” which has the following maturity levels:

• Level one:  “Opportunistically finding basic code-level vulnerabilities and other high-risk security issues.”
• Level two: “Make implementation review during development more accurate and efficient through automation.”
• Level three: “Mandate comprehensive implementation review process to discover language-level and application-specific risks.”

The model also goes into detail on each of the security activities, the success metrics, and more. There is also a related “How-To Guide” and “Quick Start Guide.”

Veracode’s Verified Program: We created Verified to both give customers a way to prove to their customers that security is a priority, but also to give customers a road map toward application security maturity, based on our own 10+ years experience of what good AppSec looks like. Want to see how you stack up against a mature program? Take a look at the requirements for the highest Verified tier – Verified Continuous level. If your program looks more like the Standard or Team levels, use that to make the case to grow your program with a clear roadmap of what is entailed in taking your program to the next level.

Veracode State of Software Security (SOSS) report: Our annual report offers some valuable benchmarking data for your AppSec program. Because we are a SaaS platform, we are able to aggregate all our scan data and look at trends across industries, geographies, and development processes.

You can use the SOSS report to benchmark your program against all organizations, those in your industry, or against those that are implementing practices that are improving the state of their software security. For instance, this year’s report found that 80 percent of applications don’t contain any high-severity flaws – how do you measure up? In addition, we found that those who are scanning the most (260+ times per year) have 5x less security debt and improve their median time to remediation by 72 percent. How often are you scanning?

You can also use the SOSS report to measure your program and progress against your peers in your industry. For example, this year, we found that most of the top 10 flaw categories show a lower prevalence among retailers compared to the cross-industry average. The exceptions to that rule are Credentials Management and, to a lesser extent, Code Injection. It’s possible these tie back to core functionality in retail applications – authenticating users and handling user input. If you’re in the retail industry, you’ve now got a solid starting point for vulnerability types to focus on. If you’re in the Government and Education sector, your peers are struggling with Cross-Site Scripting flaws, are you? And finally, those in the financial sector, have the best fix rate among all industries at 76 percent – does your fix rate compare favorably?

Learn more

To find out more about making the case for AppSec, check out our new guide, Building a Business Case for Expanding Your AppSec Program.