Application Security Posture Management for VP of Engineering

February 26, 2024

Why Application Security Matters to Me:
Evaluating Application Security Posture Management (ASPM) for VPs of Engineering

In today’s digital landscape, where cyber threats are constantly evolving, organizations must prioritize their cybersecurity measures to protect their sensitive data and maintain their reputation. This is the second in a series of blog posts that explores, from a firsthand perspective, why the various stakeholders in Application Security implement Application Security Posture Management (ASPM) as the backbone to their DevSecOps program

In this segment, we look at the value of ASPM for the VP of Engineering    

        I am a VP of Engineering…

        My job is to ensure my team delivers the things they said they would when I said they would so I am not introducing risk to the business by not delivering something on time.   

        I look at risk from three angles:   

        1. Productivity Is my team optimized for velocity and efficiency?  
        2. DeliveryAm I predicting and mitigating blockers so that we can deliver on time?  
        3. Value:  How am I balancing short-term delivery costs with long-term strategic objectives?  

        As we’ve become a DevOps organization, Application Security has failed to keep pace. I know security is important because it’s part of the quality of the code my team delivers. However, if I don’t understand the spec for what specifically needs to be done for an application in a way that is easy to disseminate to my team, then it poses a risk to me, my team, and the business.  

            Vulnerabilities are 100X more expensive to fix in production 

            However, just like with bugs, there is always a cost to waiting to fix. And of course, then we start to accumulate security debt, which isn’t just a liability, but becomes harder and harder to fix. So why when I have a strong grasp on processes and automation for development, QA, and backlog, does it feel so hard to include security as part of this? 

            Well, it’s not just the fact that the number of new vulnerabilities identified is growing exponentially daily – 26,000 new ones were identified last year alone! But, also the fact that security has its own lifecycle – different policies and different tests that have to be run at very specific times. And because they have to be reactive to the ever changing cyber threat landscape, as well as how our application changes, even if I wanted to relegate my team to a lifetime in security training (which I do not, nor do they want even an hour), they’d never be able to stay on top of the most current security requirements.  

            ASPM enables me to integrate security without sacrificing velocity or agility 

            By managing, automating, and orchestrating the application security lifecycle as part of the SDLC, ASPM orchestration gives my developers the autonomy they want to develop the best features, with guardrails so they don’t create unnecessary work to be fixed later, while security gets the accountability they crave without having to babysit my team or block the pipeline. This does not mean that there aren’t points where we have to stop, for example like when my developers check in their code, they cannot complete the PR until the SAST has been kicked off and the criticals have been fixed, but we sometimes have to slow down at moments to speed up overall. Afterall, DevOps is about not just speed, but efficiency.

            With ASPM I get to:  
            • Reduce the Noise by having vulnerabilities automatically prioritized based on the application-specific risk profile, and only those vulnerabilities that need to be fixed are synchronized into our backlog ( are – they get it delivered to them as part of their feature ticket.  
            • Eliminate Bottlenecks by automating and orchestrating the security guardrails  
            • Deliver on time by managing issues proactively, we can mitigate and accept risk throughout the development process so there are no surprises when it comes to release.  

            Are you ready to capture the benefits for yourself or your VP?

            Learn more about Wabbi, the industry’s only universal Application Security Posture Management platform that allows security and development to become integrated without disrupting either of their existing workflows.  

            Related Articles