Large enterprises tend to have a number of line of business (LOB) applications supporting business operations. It becomes key for an application security program to help the organization manage the risk posed by each of these applications. Applications tend to be comprised of legacy applications, applications under development and application under planning. 

To start an application security program, the org must set up a secure data center/environment to host secure applications. Applications must be on-boarded into this environment after a security review (about which I will talk about in a future post).

In order for the application security program to be successful, the following must happen:

  • All LOB applications hosted in this environment should have a security review. This security review is mandatory and may require policy changes and governance.
  • Applications failing a review with critical issues should not be hosted.
  • Assessment organization should be given enforcement capabilities. Without enforcement the program will be unsuccessful.

This typically can start with high risk applications and maintained by assessing all newly developed applications or releases and a prioritized list of legacy applications.