Cybersecurity teams are facing a stark reality: Many budgets are flat or even shrinking. And whether at a startup or a Fortune 500 company, application security teams are stuck navigating a landscape of limited resources. They rarely have all the time, money, or people they might feel are necessary to reduce risk. If you've been to meetups or conferences this year, you've probably seen the same trends I've observed:
- I talked to several people at RSAC who couldn't get their companies to pay for conference passes (so they came for all the freebies).
- No matter the region, I constantly hear from college grads with cybersecurity degrees that they can't find entry level jobs (even internships).
- Application security leaders are struggling because their headcount is scaled back or they're told to reduce their spend on critical tools.
And while all this is happening, we're going through a major software development revolution as AI makes it faster, cheaper, and easier to write code (...but not more secure code).
Reduce risk without increasing resources
AI offers a lot of ways to make the best use of the resources you have (heck, I used two LLMs to get me started on this article). But it's not always about using emerging tech! Business skills and techniques that have been around for decades should be the start of the solution.
Enter LeanAppSec.
Just as lean manufacturing revolutionized production by focusing on efficiency and eliminating waste, a similar mindset shift is needed in how we approach application security. This isn't about doing less security; it's about doing the right security at the right time, minimizing waste and maximizing value. Let's delve into three fundamental principles of LeanAppSec and explore how they can be applied to enhance your application security practices.
- Principle 1: Understand and map your value streams
- Principle 2: Create flow through clean and continuously improved processes
- Principle 3: Implement pull-based systems
I have to recognize Darren Meyer for his thought leadership on this topic during his time at Endor Labs! With two decades leading application security coupled with his research background and commitment to making security accessible, Darren was the "voice of AppSec" that helped me ground LeanAppSec in practical business needs and clear, actionable insights for busy AppSec practitioners. Thank you, Darren! ❤️
Principle 1: Understand and map your value streams
How does AppSec add value to the org’s goals?
The first crucial principle involves deeply understanding your company's value. This isn't just about technical security metrics; it requires understanding value in terms of both business and customer objectives. In lean thinking, a value stream encompasses all the steps, both value-added and non-value-added, required to bring a product or service from its conception to the customer.
Once you understand these value streams, the next step is to map the value from those company value streams to the specific activities that application security teams perform. This mapping exercise is vital because it allows AppSec teams to become laser-focused on delivering value. By understanding which AppSec activities directly contribute to business or customer value, you can prioritize efforts and ensure your limited resources are directed where they will have the most significant positive impact, rather than being spread thin across low-value tasks.
How to map value streams
- Identify all steps involved in delivering software, from ideation to customer use, including development, testing, deployment, and maintenance.
- Locate where security activities currently occur within these software delivery steps.
- Analyze how security-related information flows (or doesn't) between teams and stages.
- Detect points in the process that cause delays or don't add value from a business or security perspective.
- Connect security efforts to overarching business goals and the value provided to customers.
Principle 2: Create flow through clean and continuously improved processes
How can AppSec processes ensure you don’t waste your limited resources?
The second principle focuses on creating states of flow. In the context of AppSec, this means establishing clean and continuously improved processes. Creating flow states for both application security activities and for the engineering teams they work with is essential.
The primary benefit of achieving this flow is to avoid wasting resources. This might involve streamlining security reviews, automating repetitive tasks, improving communication channels between security and development, and constantly looking for ways to smooth out handoffs and reduce bottlenecks in the security process integrated within the software development lifecycle. Continuous improvement is key; processes aren't static but should evolve to become ever more efficient.
How to create flow
- Integrate security activities throughout the software development lifecycle (SDLC), not just at the end.
- Leverage automation for repetitive security tasks like scanning and testing.
- Establish consistent security guidelines and practices across development teams.
- Break down large security tasks into smaller, more manageable units for faster feedback.
- Enable development teams to request security services as needed, rather than security teams pushing activities.
- Establish clear and timely feedback loops for security findings and lessons learned.
- Foster a culture of ongoing review and refinement of security processes.
Principle 3: Implement pull-based systems
Where can AppSec activities coincide with SDLC activities?
The third principle is the creation of pull-based systems. Unlike push-based systems, where work is pushed onto other teams (often security pushing work onto developers), pull-based systems are demand-driven. This concept is directly related to just-in-time practices in lean manufacturing, where activities are performed at the precise moment they are needed.
For application security, implementing a pull-based system involves thinking about how to embed AppSec activities into the software development life cycle (SDLC) itself, rather than treating security as something to be bolted on later. This integration means application security becomes a natural, timely part of the development process, pulled by the needs of the development work itself, rather than being a separate phase that arrives unexpectedly.
A practical example of a pull-based system in AppSec is ensuring that developers only see vulnerability reports for things they actually need to fix. This simple change helps in eliminating busy work. Instead of drowning developers in irrelevant findings, a pull system ensures they receive actionable information precisely when and where it's needed, making the security remediation process more efficient and less burdensome.
How to create pull-based systems
- Shift to a model where security activities are initiated by the needs of the development process.
- Provide developers with easy access to security tools, documentation, and training.
- Empower individuals within development teams to champion security practices.
- Make security expertise available on demand for timely assistance.
- Deliver security training and guidance precisely when and where it's needed.
- Define clear expectations for security service delivery through Service Level Agreements (SLAs).
Overall benefits of applying LeanAppSec principles
By embracing the principles of LeanAppSec, organizations can achieve significant improvements in their application security efforts, leading to:
- Increased Efficiency and Reduced Waste: Streamlining processes, automating tasks, and integrating security earlier optimizes resource utilization and minimizes costly rework.
- Faster and More Secure Development: Embedding security into the development lifecycle and making it demand-driven accelerates delivery while improving code quality and reducing vulnerabilities.
- Stronger Collaboration and Risk Management: Fostering better communication between teams and focusing on value-driven security activities leads to more effective risk mitigation and a stronger overall security posture.
