Impressions from the Security Track at IBM Innovate
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM | | Tags:  rational appscan innovate ibm 2012 security
0 Comments | 3,434 Visits
Today's post is from Constantine Grancharov, Product Manager, Appscan Enterprise.
I attended the IBM Rational Innovate conference in Orlando this week and participated in a number of the sessions from the Security track. It was a great opportunity for me as a Product Manager to get more insight about the trends in the industry and meet with customers to get a better understanding of the challenges they face.
I found the customer case studies particularly interesting. It is encouraging to see that compared to several years ago, many organizations have made significant progress, not only with successfully deploying the AppScan product, but also implementing comprehensive application security programs. Being proactive and taking security into consideration during the application development lifecycle is key to avoiding a security breach and ensuring lower development costs.
Here are some of the tips and best practices for implementing an application security program that were shared by security experts who attended the conference.
o An effective application security program has three pillars: people, process and technology. Having the right application security testing tools, like AppScan, is very important, but it is not sufficient. An organization has to take into account all three pillars to have a successful program.
o Obtain executive sponsorship - these days Security is discussed in the boardroom. Ensuring the support of upper management is a prerequisite for the success of your program.
o Raise awareness - educate your development teams on application security and show them how simple coding errors can cause security breaches costing an organization millions of dollars.
o Know where you are at - obtain initial metrics and understand your current state of security.
o Start testing early in the lifecycle - the earlier you start testing, the easier and less expensive it will be to fix security vulnerabilities.
o Don't overwhelm your developers - start with testing for vulnerabilities that they can clearly understand and address.
o Take a risk based approach - you may not be able to address all vulnerabilities. Security is about managing risk. Determine what is an acceptable level of risk and work towards it.
o Measure progress - this will help justify the investment in your application security program to upper management and will motivate your development team.
I hope that these tips will help you during the implementation of your application security program. For more information, visit us on the web at ibm.com/security.