Anne's old Chevy Blazer at North Cape, Northern Norway in February 2024 — it survived -28 degrees along the way in Sweden to cross the arctic circle and reach North Cape in winter. It's built for rough terrain.

AppSec Adventure

Can you trust your AppSec program when the road gets rough?

Can you trust it when...

...your security hero is gone?

Every organization has these security heroes you can just call when something bad happens.

Who are your security heroes? What happens when they are on holiday, sick or simply leave tomorrow?

Who would fix it then?

...delivery pressure spikes?

This new feature or product that should have been shipped yesterday? We've all been there.

What corners would get cut to speed up delivery? Would you even notice when security gets cut?

What would get sacrificed?

...a critical incident hits?

No security budget can ensure your software will be 100% secure. Incidents are part of the game.

So let's face it: would a critical incident turn into a disaster, or are you prepared to handle it smoothly?

How painful would it be?

A paved road Anne did drive in northern Norway in winter representing the false assumption AppSec programs are built on.

What causes AppSec programs to break down?

They are built on a false assumption.

Most AppSec programs focus on tools, policies and processes. Some may even go further by including people through training and Security Champions programs.

Nothing wrong with that, as long as you are on a paved road.

Besides all those measures, you are dealing with conflicting priorities, cultural friction, implicit expectations, unclear responsibilities, different personalities and always limited budget.

Does this sound like a nicely paved road?

Your terrain is much closer to navigating a rough off-road track with mud, deep sand or sharp rocks. Maybe you even need to cross a few rivers.

That's why you need to build a resilient AppSec system.

Driving in convoy back from North Cape in winter - an expedition that is only safe when the whole system works together.

How does a resilient AppSec system differ?

A common AppSec program is basically a set of isolated measures. Success is often meassured by activity. How many developers did you train? How many vulnerabilities where discovered and closed?

But AppSec doesn't happen isolated.

It is built around an existing system that produces software: your Software Development Lifecycle (SLDC). AppSec just enhances this system to make sure, the output is secure.

Let's imagine you want to reach North Cape in winter. The last kilometers can only be driven in a convoy behind a snowplow because the conditions are so harsh.

At that point, success is no longer just about a car that can handle the conditions.

The road must stay open. The convoy must work together. The snowplow must clear the road. The entire system must continue to function despite difficult conditions.

That's the difference:

AppSec programs can work for years while individual heroes compensate for missing system resilience. In a resilient AppSec system, you don't need heroes.

You design a system that can handle rough conditions.

Anne standing on a rock in the Anti-Atlas mountains in Morocco, overlooking a wide rugged landscape that reflects the Terrain Check theme.

How do you build a resilient AppSec system?

You can't improve a system you don't understand.

Before you can optimize for resilience, you need to understand your current system. The one that produces software and the extension designed to ensure it meets your desired level of security.

Second, you can discover where your system is most fragile at the moment and improve it.

If you're ready to start, you can choose between two routes:

The solo expedition:

Use the AppSec Ownership Model to analyze your own system and explore how responsibility could be distributed in a resilient AppSec system.

The guided route:

Book your Terrain Check to get a structured analysis of your current AppSec system, identify fragile areas and define practical next steps towards resilience.

Anne, her dog Suschka and her old Chevy Blazer in winter on Lofoten island, Northern Norway.

Why I believe resilience matters for AppSec

When I built my first AppSec system from scratch, I didn't even know there was a name for what I was building. I was just a developer who got handed responsibility for AppSec.

So I tried to understand the system I had to work with. I talked to stakeholders and asked what they needed. I learned about various AppSec measures and somehow turned that knowledge into my very first AppSec system.

But something felt off: I had to constantly push.

Around the same time, I got into overland travel. I first thought it's all about a good, reliable car and becoming a skilled off-road driver. But in fact, this again is a system that includes not just the driver and the car, it also includes a good support network like a garage I can call when something breaks.

Then I had to face the worst case: a damaged engine.

The vehicle my lifestyle depended on was gone. I was at my low, but the system I had built somehow worked. It helped me find a new car, recover, and eventually get back on the road.

After that experience, I know I can trust my system.

Losing my car was painful. Losing key people is painful for every organization. That's why I believe every AppSec system should be optimized for resilience.

1999 Chevy Blazer parked next to the Nordkapp kommune sign on a snowy road at sunset in winter.