This is an informational web site. It is not trying to sell anything.
It aims to pull together learnings from several years of creating and managing an Application Security Program at Ribbon Communications (and Sonus Networks before that). I hope to bring in insights from others, but to start it is a one-person show.
The web site does reference different vendors by way of example. This is not intended as an endorsement of one vendor over another; the specific examples sited are largely a reflection of my experience.
Does the world need yet another high-level statement of how to do application security? A number of other such frameworks are presented for reference: Other Frameworks. Of course the desired final state is much the same. The presentation here is a little different in a few respects:
- It attempts to identify a model that is applicable to small organizations as well as larger organizations.
- It leads with specific activities to undertake rather than with security-goals in an attempt to make it more accessible to non-experts.
- It provides help in prioritizing the many different things that might be done as part of a program.
- It boils it all down to simple bullet lists of program activities and accomplishments.
This follows a cookbook recipe model. One can create a perfectly passable dish without understanding anything about food science using a recipe. The same follows with application security; one can pull together an initial application security program without having a deep understanding of application security. Of course that understanding will be a great help down the road – and you can only get so far without it. In fact some of the program line items look to build that understanding!