Get team buy-in to your application security program

When you’re looking to improve application security within your organisation, it’s important to get buy-in across the company. You need to create a culture that prioritises security. However, it can be hard for developers to prioritise security, as they are judged on the functionality rather than the security of their code. So today we're looking at 4 ways to get buy-in from your dev team to help them prioritise application security as much as the rest of your organisation.

When you’re looking to improve application security within your organisation, it’s important to get buy-in across the company. You need to create a culture that prioritises security. However, it can be hard for developers to prioritise security, as they are judged on the functionality rather than the security of their code.

So today I’m looking at 4 ways to get buy-in from your dev team to help them prioritise application security as much as the rest of your organisation. 1) Make Security Training an Executive Priority

Developer security training is crucial for improving application security, but you are likely to be faced with complaints from your developers who feel as though courses aren’t relevant to their specialisms, or are too time-consuming and take them away from urgent projects.

Any developer training program needs to start with a mandate from the company’s senior executives to kick-start it. A top-down approach ensures that security training has obvious buy-in from management, and helps developers understand that completing the course is a high priority. Mandatory training will encourage take-up from developers who would otherwise be unlikely to complete non-compulsory security training. 2) Highlight the Importance for Achieving Compliance

Now, more than ever, your organisation’s application security practices have a very real impact on compliance. Analyst firm Gartner stated that “over 70% of security vulnerabilities exist at the application layer, not the network layer”.

Therefore, industry standards bodies like the Payment Card Industry Security Standards Council are introducing requirements related to application development practices. In order to fully comply with the latest regulations, it’s vital that your organisation improves its application security.

A structured application security program can make the process of achieving compliance simpler and more likely. Positioning your application security program as an aid for achieving compliance is a great way to position it attractively and get buy-in from your dev team.

Learn more: Why Application Security is a Crucial Part of Compliance 3) Simplify the Relationship Between Development and Security Teams

In many organisations there’s a serious disconnect between development and security teams. Both teams work hard in their respective roles, but misaligned priorities and a lack of shared understanding across the two teams often cause tension between your development and security teams.

Improving your developers’ security knowledge through security training, and their practical skills by creating a secure software development lifecycle, can help improve understanding and communication between your development and security teams. When your security team brings their security report back to your dev team after running penetration and web application security tests, your dev team will have the necessary knowledge to understand what is required to remediate the vulnerabilities that security have identified. 4) Reduce Remediation Time

Securing your software development process with a structured application security program will make it quicker, cheaper and easier to fix vulnerabilities in your applications.

It’s 30x more expensive to fix a vulnerability during post-production than during the design and architecture stages of the software development lifecycle (SDLC). Additionally, with a structured application security program in place to shape and secure the SDLC, your dev team will be conducting more regular code reviews with security in mind.

This will mean that vulnerabilities will be identified earlier in the development process and can therefore be remediated before they become ingrained in your project and become much more difficult and time-consuming to fix. Your dev team won’t have to spend so much time on lengthy vulnerability remediation at the end of a project, which can make the difference between hitting or missing those project deadlines.

Discover how to roll out an effective training program to improve your organisation’s application security. Download your free whitepaper below.

Get Switched on

Subscribe to our newsletter to keep ahead in the industry, and be the first to access new reports and white papers.