February 26, 2024
Why Application Security Matters to Me:
Evaluating Application Security Posture Management (ASPM) for VPs of Engineering
In today’s digital landscape, where cyber threats are constantly evolving, organizations must prioritize their cybersecurity measures to protect their sensitive data and maintain their reputation. This is the second in a series of blog posts that explores, from a firsthand perspective, why the various stakeholders in Application Security implement Application Security Posture Management (ASPM) as the backbone to their DevSecOps program.
In this segment, we look at the value of ASPM for the VP of Engineering.
I am a VP of Engineering…
My job is to ensure my team delivers the things they said they would when I said they would so I am not introducing risk to the business by not delivering something on time.
I look at risk from three angles:
- Productivity: Is my team optimized for velocity and efficiency?
- Delivery: Am I predicting and mitigating blockers so that we can deliver on time?
- Value: How am I balancing short-term delivery costs with long-term strategic objectives?
As we’ve become a DevOps organization, Application Security has failed to keep pace. I know security is important because it’s part of the quality of the code my team delivers. However, if I don’t understand the spec for what specifically needs to be done for an application in a way that is easy to disseminate to my team, then it poses a risk to me, my team, and the business.
Vulnerabilities are 100X more expensive to fix in production
However, just like with bugs, there is always a cost to waiting to fix. And of course, then we start to accumulate security debt, which isn’t just a liability, but becomes harder and harder to fix. So why when I have a strong grasp on processes and automation for development, QA, and backlog, does it feel so hard to include security as part of this?
Well, it’s not just the fact that the number of new vulnerabilities identified is growing exponentially daily – 26,000 new ones were identified last year alone! But, also the fact that security has its own lifecycle – different policies and different tests that have to be run at very specific times. And because they have to be reactive to the ever changing cyber threat landscape, as well as how our application changes, even if I wanted to relegate my team to a lifetime in security training (which I do not, nor do they want even an hour), they’d never be able to stay on top of the most current security requirements.
ASPM enables me to integrate security without sacrificing velocity or agility
By managing, automating, and orchestrating the application security lifecycle as part of the SDLC, ASPM orchestration gives my developers the autonomy they want to develop the best features, with guardrails so they don’t create unnecessary work to be fixed later, while security gets the accountability they crave without having to babysit my team or block the pipeline. This does not mean that there aren’t points where we have to stop, for example like when my developers check in their code, they cannot complete the PR until the SAST has been kicked off and the criticals have been fixed, but we sometimes have to slow down at moments to speed up overall. Afterall, DevOps is about not just speed, but efficiency.
With ASPM I get to:
- Reduce the Noise by having vulnerabilities automatically prioritized based on the application-specific risk profile, and only those vulnerabilities that need to be fixed are synchronized into our backlog ( are – they get it delivered to them as part of their feature ticket.
- Eliminate Bottlenecks by automating and orchestrating the security guardrails
- Deliver on time by managing issues proactively, we can mitigate and accept risk throughout the development process so there are no surprises when it comes to release.
Are you ready to capture the benefits for yourself or your VP?
Learn more about Wabbi, the industry’s only universal Application Security Posture Management platform that allows security and development to become integrated without disrupting either of their existing workflows.
Related Articles
20 Tech-Related Threats We Must Not Ignore (And Solutions) – Forbes –
This article originally appeared on Forbes on December 19, 2024 Expert Panel® Forbes Councils Member Forbes Technology Council COUNCIL POST| Membership (Fee-Based) getty We rely on technology more than ever before in both our work and personal lives. It...
Tech In 2025: Industry Leaders Detail Their Top Challenges – Forbes –
This article originally appeared on Forbes on December 3, 2024 Expert Panel® Forbes Councils Member Forbes Technology Council COUNCIL POST| Membership (Fee-Based) getty Staying on top of emerging tools and trends is all in a day’s work for tech leaders across...
Why AppSec Orchestration Delivers ROI for Dev, Sec & Ops Teams
Building Tangible ROI Through Dev Sec Ops Investments Historically, it has been tough to justify the ROI of cybersecurity investments because cybersecurity success often means nothing happened: no breaches, data losses, or compliance failures. This “absence of...
Building Good Application Security Hygiene
In today’s fast-evolving tech landscape, application security (AppSec) hygiene is an essential factor for every business handling data. AppSec hygiene entails establishing thorough security processes, understanding risks, and ensuring that security protocols are...
20 Tech-Related Threats We Must Not Ignore (And Solutions) – Forbes –
This article originally appeared on Forbes on December 19, 2024 Expert Panel® Forbes Councils Member Forbes Technology Council COUNCIL POST| Membership (Fee-Based) getty We rely on technology more than ever before in both our work and personal lives. It...
Tech In 2025: Industry Leaders Detail Their Top Challenges – Forbes –
This article originally appeared on Forbes on December 3, 2024 Expert Panel® Forbes Councils Member Forbes Technology Council COUNCIL POST| Membership (Fee-Based) getty Staying on top of emerging tools and trends is all in a day’s work for tech leaders across...