February 26, 2024
Why Application Security Matters to Me:
Evaluating Application Security Posture Management (ASPM) for VPs of Engineering
In today’s digital landscape, where cyber threats are constantly evolving, organizations must prioritize their cybersecurity measures to protect their sensitive data and maintain their reputation. This is the second in a series of blog posts that explores, from a firsthand perspective, why the various stakeholders in Application Security implement Application Security Posture Management (ASPM) as the backbone to their DevSecOps program.
In this segment, we look at the value of ASPM for the VP of Engineering.
I am a VP of Engineering…
My job is to ensure my team delivers the things they said they would when I said they would so I am not introducing risk to the business by not delivering something on time.
I look at risk from three angles:
- Productivity: Is my team optimized for velocity and efficiency?
- Delivery: Am I predicting and mitigating blockers so that we can deliver on time?
- Value: How am I balancing short-term delivery costs with long-term strategic objectives?
As we’ve become a DevOps organization, Application Security has failed to keep pace. I know security is important because it’s part of the quality of the code my team delivers. However, if I don’t understand the spec for what specifically needs to be done for an application in a way that is easy to disseminate to my team, then it poses a risk to me, my team, and the business.
Vulnerabilities are 100X more expensive to fix in production
However, just like with bugs, there is always a cost to waiting to fix. And of course, then we start to accumulate security debt, which isn’t just a liability, but becomes harder and harder to fix. So why when I have a strong grasp on processes and automation for development, QA, and backlog, does it feel so hard to include security as part of this?
Well, it’s not just the fact that the number of new vulnerabilities identified is growing exponentially daily – 26,000 new ones were identified last year alone! But, also the fact that security has its own lifecycle – different policies and different tests that have to be run at very specific times. And because they have to be reactive to the ever changing cyber threat landscape, as well as how our application changes, even if I wanted to relegate my team to a lifetime in security training (which I do not, nor do they want even an hour), they’d never be able to stay on top of the most current security requirements.
ASPM enables me to integrate security without sacrificing velocity or agility
By managing, automating, and orchestrating the application security lifecycle as part of the SDLC, ASPM orchestration gives my developers the autonomy they want to develop the best features, with guardrails so they don’t create unnecessary work to be fixed later, while security gets the accountability they crave without having to babysit my team or block the pipeline. This does not mean that there aren’t points where we have to stop, for example like when my developers check in their code, they cannot complete the PR until the SAST has been kicked off and the criticals have been fixed, but we sometimes have to slow down at moments to speed up overall. Afterall, DevOps is about not just speed, but efficiency.
With ASPM I get to:
- Reduce the Noise by having vulnerabilities automatically prioritized based on the application-specific risk profile, and only those vulnerabilities that need to be fixed are synchronized into our backlog ( are – they get it delivered to them as part of their feature ticket.
- Eliminate Bottlenecks by automating and orchestrating the security guardrails
- Deliver on time by managing issues proactively, we can mitigate and accept risk throughout the development process so there are no surprises when it comes to release.
Are you ready to capture the benefits for yourself or your VP?
Learn more about Wabbi, the industry’s only universal Application Security Posture Management platform that allows security and development to become integrated without disrupting either of their existing workflows.
Related Articles
Bridging Cybersecurity and Innovation
Click below to listen to this episode of Strategy Next, where host Jon Lobb sits down with Brittany Greenfield, founder and CEO of Wabbi, to discuss the critical role of foundational security practices, and how organizations can navigate the balance between innovation...
How To Overcome Common Hurdles In Adopting DevSecOps – Forbes –
This article originally appeared on Forbes on February 11, 2025 Expert Panel® Forbes Councils Member Forbes Technology Council COUNCIL POST| Membership (Fee-Based) getty Taking a more proactive and culture-based approach to security, DevSecOps stresses...
Behind Closed Doors: What AppSec Leaders Are Really Thinking About DevSecOps in 2025
Recently, I had the opportunity to sit down with a group of AppSec leaders for a closed-door conversation about their 2025 DevSecOps strategy. No vendors. No slides. Just candid discussions about the challenges they’re facing, what’s working, and what’s keeping them...
Secure SDLC: Turning Speed Into Efficiency to Mitigate Tech’s Greatest Vulnerability
In a world where technology drives nearly every aspect of our personal and professional lives, it’s no surprise that speed is often seen as the ultimate metric of success. Companies race to deliver new features, patch vulnerabilities, and launch products as quickly as...
Bridging Cybersecurity and Innovation
Click below to listen to this episode of Strategy Next, where host Jon Lobb sits down with Brittany Greenfield, founder and CEO of Wabbi, to discuss the critical role of foundational security practices, and how organizations can navigate the balance between innovation...
How To Overcome Common Hurdles In Adopting DevSecOps – Forbes –
This article originally appeared on Forbes on February 11, 2025 Expert Panel® Forbes Councils Member Forbes Technology Council COUNCIL POST| Membership (Fee-Based) getty Taking a more proactive and culture-based approach to security, DevSecOps stresses...