Oct 17, 2018
Organisations go to great lengths trying to achieve compliance with government regulations and industry standards. Application security is becoming an increasingly crucial requirement for achieving compliance, and without good application security processes in place across your organisation, you can easily fall down on compliance as a result.
Today we're looking at how you can create an action plan to help your organisation achieve application security compliance.
1) Assess Existing Software Processes and Practices
The first step in your compliance action plan should be to work out what you’re already doing. How do your existing processes measure up to the compliance standards you need to achieve? This should include assessments of:
- Security measures (if any) that are taken during the software development lifecycle – such as threat modeling, code reviews for security, and static and penetration testing.
- Coding practices and standards, in terms of security effectiveness and how they measures up to regulatory requirements.
- Security policies and standards across the organisation, including any training provision.
- Your security team’s vulnerability response process.
2) Identify Gaps and Objectives
Once you’ve got a clear understanding of what you’re already doing in terms of application security, you can identify what still needs to be done to achieve compliance. For the second stage of your action plan you’ll need to identify the gaps between your current processes and practices, and compliance standards. You can use these insights to create a set of security targets that your organisation will need to meet before it achieves compliance. Additionally, you may want to include a sub-set of goals for additional good practices that would be desirable to improve your organisation’s application security, but which aren’t required for compliance.
3) Plan a Remediation Roadmap
Before you start making changes and rushing to improve your application security, you should take time to prioritise the work you need to do. This process will show you the actions that will provide your organisation with the biggest return on investment (based on their security impact) compared with the amount of effort and work that will be involved. There may be several quick wins that will dramatically improve your application security, giving your security team more time to focus on more complex, but lower-priority issues. Once you’ve prioritised your remediation actions, you should be able to create a phased remediation and compliance roadmap to structure your organisation’s path to achieving application security compliance.
4) Implement the Roadmap
The final step is where the action starts, where all your assessments, evaluation and planning finally start to make a tangible difference to your application security. Some of the remediation work may be possible for your organisation to manage in-house, but third-party tools and partners can be used for things like security training, penetration testing and threat modeling. Working with third-parties can help to accelerate your progress towards compliance standards, and will be particularly valuable if you’ve got a compliance review in the near future. Whether your organisation does the work themselves, or outsources parts of the remediation work, it’s vital that you regularly measure your progress relative to security and compliance requirements. This will allow you to adjust your roadmap in line with changing compliance standards and business priorities.