Ensuring application security and resilience is largely a technical endeavor. From source code development to vulnerability and penetration testing and all the variables in between, there are a lot of moving parts on the technical side. It’s important, however, to remember the soft side of application security, especially as it relates to the bigger picture area of setting and achieving your goals.
Goal setting is very straightforward but only eight percent of people actually achieve their goals. If you have the desire to improve your application security program as well as stand out in your organization and rise above the noise of the world, here’s what you need to do to get started down the path of improvement:
- Determine what you want to accomplish and write it out in the present tense. This will allow you to be specific on what you’re looking to do, and it programs your subconscious mind to believe that the goal has already been accomplished.
- Outline the steps you’ll need to take to accomplish the goal. This will help to set expectations and create a roadmap to follow. It can also be helpful to write out any roadblocks you might anticipate for each goal.
- Set a specific deadline. This makes the goal more tangible and helps to hold you accountable.
You will want to prioritize each of your goals, so you’ll know which one to focus on first, second, and so on. It’s also important to revisit your goals, ideally every day, but at a minimum every week. This keeps them at the top of your mind so that you are thinking about them on a periodic and consistent basis.
The types of goals that you might set for application security improvement are endless. Of course, it depends on your specific risks and requirements but might include areas such as:
- Vulnerability and penetration testing
- Improvements involving specific security standards such as the OWASP Top 10
- Implementation of certain technical controls such as multifactor authentication or a web application firewall
- The creation of a security oversight committee
Taking the steps above and using vulnerability and penetration testing as an example, the following is a sample application security goal:
We scan and test our web applications for vulnerabilities on a periodic and consistent basis.
Steps required:
- We use a web vulnerability scanner to perform a full scan of all production applications on the first Friday of every month.
- We alternate scanning with and without user authentication.
- For authenticated scans, we scan with a different user role each month.
- We engage with a third party to perform a full assessment – vulnerability scanning and penetration testing – once per year.
Potential obstacles:
- Change windows or release cycles that prevent scans from being run
- Staff availability
- Budget
- Network devices such as web application firewalls and intrusion prevention systems that block scans
- User accounts may get locked during authenticated scanning
Deadline:
- Every 30 days for scans
- Every year for a full, independent assessment
This is the essence of setting goals and setting yourself and your application security program for success. There’s really nothing more to it.
For many technical professionals, the prospect of goal setting and management may not seem terribly exciting, but it can pay huge dividends over the long term. I have found that those who delve further into the business side of application security tend to experience greater rewards in their careers as well.
There’s a saying that if you don’t have goals for yourself then you’re doomed forever to achieve the goals of someone else. Having a set of application security goals that you are working towards is not going to be the silver bullet for keeping things protected. It takes work to determine what you want and then take the proper steps to go about getting it. Even with all the effort involved, having documented goals can help tremendously with oversight and accountability and give you and your team something to aim for. Taking this approach to application security will go a long way and help your efforts stand out in many positive ways, especially considering so many people and organizations have zero goals in this regard.
You don’t have to spend a ton of time on goal setting and management. You could easily write out some goals over a cup of coffee or lunch one day. Worst case, you get together with your colleagues and spend an hour or two on the whiteboard. The important thing is to get started. You don’t have to have perfection. You just need to want it badly enough and have the discipline to see it through. If you work on each goal every day, even if it’s just in some small way, you can accomplish more than you ever believed you could.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
