I spoke with a chap about AppSec, and he shared a story of a team he worked with as a Product Manager. This company’s security efforts were focused on compliance and risk management, not a pure play AppSec.
He shared that when the Security team would find something, they would reach out to Product Management, declare the issue, and then say nothing. When pressed for assistance in mitigating the issue, they would hear the joyous sound of crickets 🦗on a summer evening. The Security team had no insight or wisdom to share, leaving them to flounder.
I guess that this happens more than I would like to imagine. I think about the better-case scenario when advising development teams from security. I think of AppSec as a glorified coaching service, where our role is to identify the issues and solve the problem.
As I’m finding is often the case, I’m living in a purist world and need more insights from the real world. I need to understand more about what is happening in AppSec. I like to think of my approach as reasonable application security, but I guess that reasonable in my mind is not what is often deployed in the real world.
Embrace security coaching — find a way to add it to your AppSec program offering. The value of coaching pays off tenfold, as coaches teach, and the students take the knowledge and reflect it to others. The students become the teachers, and your security architecture and implementation gain the benefit.