From an information security perspective, applications should be in scope for organizations specific vulnerability assessments and application security requirements. The security validations and certifications of applications follow specific security requirements such as the secure design, secure coding and secure operations. These are often part of the goals of application security standards. Therefore, compliance is a critical aspect of application security, and of CISOs responsibilities, but not the only one. Application security spans other security domains that CISOs are responsible for. These can be summarized as (GRC) Governance, Risk and Compliance.
- From the governance perspective, CISOs are responsible for institute application security processes, roles and responsibilities to manage them, and software security training and awareness for software developers such as defensive coding and vulnerability risk management for information security officers/managers.
- From the risk management perspective, the risks managed by the CISOs also include application security risks, such as the risks of specific threats targeting applications that process confidential user data by seeking to exploit gaps in security controls as well as vulnerabilities in applications.
- Among CISOs security domains, compliance with regulations and security standards is often the one that gets the most attention from the organization’s executive management. The aim of this guide is to help CISOs fulfill compliance requirements as well as to use compliance requirements as one of the reasons for justifying investments in application security. For some organizations, managing risks of security incidents such as credit card fraud, theft of personal identifiable information, theft of intellectual property and confidential data is what gets most of the executive management attention, especially when the organization has been impacted by data breach security incidents.