Thursday, March 17, 2005

Application Security Roadmap

The execution of Application Security roadmap should be carried out in five basic steps:

1. Build a plan: Recognize the potential dependencies between various initiatives, and integrated projects to produce a plan that is tailored for your application process, development tools, programming language, platform, and technology. The plan should focus on developing the building blocks of change, identify the knowhow of current IT application development process, and determine the best way to gradually adjust your application development process to fold in security best practices.

2. Roll out individual best practices initiatives carefully: Establish a champion to drive and take ownership of each integrated project. There is a need to run a successful pilot in part of our IT before the attempt to spread best practices far and wide.

3. Train People: Developers and Architects remain blithely unaware of security and the critical role that they play in it. Training and mentorship is a necessity.

4. Establish a metrics: Apply a business-driven metrics scorecard to monitor progress and assess success. Metrics and measures (even relative metrics based on risk over time or business metrics such as maintenance budget) are critical to making progress in a large organization.

5. Establish and sustain a continuous improvement capability: Create a situation in which continuous improvement can be sustained by measuring results and periodically refocusing attention on the weakest aspects of the security of your application.

Bayan Alhaddad
March 17th 2005