Start here: AppSec Ownership Model
Shared responsibility fails without clear accountability.
AppSec can’t be owned by a single role or team. It is therefore only logical to view security as a shared responsibility for everyone. Nevertheless, this approach often fails because accountability is not clearly assigned.
I came up with the AppSec Ownership Model to create a shared understanding with my client of what AppSec ownership actually means. I wanted to put something that was already clear in my head on paper to build their AppSec program on this foundation. You can’t address problems if you don’t know who is accountable for solving them.
What is Application Security?
What are we actually talking about? Developing secure software? Application Security?
Application Security includes every action you take to ensure that the software you build is and remains secure.
The simple reason I came up with this definition is that you need actions to turn an insecure software development lifecycle (SDLC) into a secure SDLC. If you don’t turn thinking into actions, you are just designing on paper, not in the real world.
What makes a SDLC secure?
Now that we know what we are talking about. What actually turns the SDLC into a secure SDLC (SSDLC)?
If you think of AppSec as a big cake, here’s how I would slice it:
Secure Design
Secure Coding
Security Tooling
Vulnerability Management
Incident Readiness
Security Strategy
Security Culture
If you want to dive into each of the seven domains first, start here:
Who needs to take action?
I came up with five mandatory roles and one optional role that share AppSec ownership:
The Executor (e.g., software developers)
The Owner (e.g., AppSec lead)
The Gatekeeper (e.g., project leaders)
The Backbone (e.g., executive leadership)
The Advocate (e.g., security champions)
The Catalyst (e.g., any external expertise) - optional
Every role links to its own deep dive where we:
define and assign the role
explore which domains they touch
clarify accountability
see which roles they interact with
I follow a developer-centric approach to AppSec because I believe in trust, freedom and collaboration. If you want to understand the background, you can dive in here:
Can you just give me the bigger picture?
We’ve got seven domains, each of which needs an owner and we’ve got six roles that could own something in theorie. In practice, only the five mandatory roles should take ownership. Externalization of accountability would create long-term dependency and we want to avoid that.
Here’s the AppSec Ownership Model at one glance:
What is your experience with AppSec ownership? Where does it align the model and where does it conflict? I would be happy to learn more about your experience!