Introducing Appsec360 part 2: The approach
We built Appsec360 to address challenges in building and running a data-driven application security program by focussing on four fundamental issues I mentioned in one of my previous posts (see Part 1). Appsec360 is designed based on three pillars that influenced all our design decisions:
Transparent Security: We strongly believe that in the world of rapid development practices, to be effective, security MUST be as low touch as possible yet be effective. Based on our experience, after a baseline security review of a product is completed, 90% of subsequent releases do not require any formal interaction with the security team due to the nature of changes introduced.
Appsec360 is designed to enable transparency by analyzing a wide array of product metadata and making intelligent decisions on the security inputs that are relevant for specific releases.The platform will then make these security inputs available within the development tooling systems without the need for developers to learn a new security tool.
Timely Intervention: We understand that inadequate oversight (mainly in security areas) will inevitably lead to adherence gaps. Our platform must provide features that will enable security teams to keep a constant tab on all releases, right from inception to release, and define triggers that will allow just-in-time intervention if needed.
Appsec360 will enable product security teams to configure and trigger responses mapped to defined policies that can be integrated with development and/or DevOps tooling systems. Our platform has builtin connectors for more than 30 security and development tools which makes integration with the existing tooling ecosystem very easy & fast.
Continuous Feedback Loop: We strongly believe that Security teams must incentivize development teams for ongoing good work. This means that the security workload for development teams will vary depending on historical evidence of work put into their product and various other metadata points that we will collect throughout the lifecycle of a product.
Appsec360’s will generate and maintain an ongoing security profile for all products and provide customizable, point in time feedback around the security posture of a product and the development team responsible for the product.
End to End Management for Product Security Programs
Appsec360 platform is designed to be a force multiplier for the product security teams. It will help connect disparate sets of tools and workflows using seamless and process-based orchestration across the software development lifecycle. It will provide avenues for introducing intelligent automation where it makes sense and is customizable to specific requirements of the customer organization.
This ends part 2 of this blog series we wrote to introduce Appsec360. In part 3, I will cover the benefits that a platform like Appsec360 will bring for both the application security and the development teams.