Evaluating your organization’s application risk management journey

In this Help Net Security interview, Chris Wysopal, Chief Security Evangelist at Veracode, discusses strategies for CISOs to quantify application risk in financial terms.

Wysopal outlines the need for continuous risk management practices and robust strategies to manage third-party software dependencies, ensuring that security remains a priority throughout the software development lifecycle.

How can CISOs quantify application risk in financial terms to ensure that executive stakeholders understand the potential impact?

One way CISOs can articulate application risk in financial terms is by linking security improvement efforts to measurable outcomes, like cost savings and reduced risk exposure. This means quantifying the potential financial fallout from security incidents and showing how preventative measures mitigate these costs.

CISOs need to equip their teams with tools that will help them protect their business in the short and long term. A study we commissioned with Forrester found that putting application security measures in place could save average organization millions in terms of avoided breach costs.

With a clear cost-benefit analysis, CISOs can demonstrate how automated security investments reduce the risk of costly incidents and enable faster time-to-market. This approach provides direct financial benefits with a clear ROI and aligns security strategies with executive stakeholders’ priorities for business growth and efficiency.

Given the increasing reliance on third-party software and open-source components, how should organizations manage and monitor the risks associated with external application dependencies?

Managing risks tied to third-party and open-source dependencies requires a robust, layered approach to software supply chain security. Tools like Software Composition Analysis (SCA) play a pivotal role in continuously scanning code to identify vulnerabilities early in the software development lifecycle (SDLC) – generating a comprehensive Software Bill of Materials (SBOM) and providing automated risk assessments and remediation guidance.

Additionally, a highly automated SDLC enables quick updates, minimizing exposure when new vulnerabilities emerge. Developer education is also crucial; it equips teams to write secure code and verify the safety of third-party components.

Effective integration of these tools, alongside developer education, can significantly limit exposure to supply chain threats, reduce financial and reputational risk, and protect an organization’s software ecosystem.

What are the best strategies for integrating risk management practices within DevSecOps workflows without introducing bottlenecks?

To weave risk management seamlessly into software development workflows, organizations must embed security across the entire SDLC from the very start. Adopting this ‘shift-left strategy encourages teams to conduct security checks early and often, ensuring vulnerabilities are detected early and minimizing the possibility of discovering issues late in the development process. We’ve seen that integrating automation into security workflows can enhance developer productivity by up to 80%, allowing teams to reallocate resources toward innovation.

Strategies, such as automating dynamic analysis testing, accelerate vulnerability remediation while maintaining development speed. Additionally, fostering a security-aware culture across teams – from developers to executives – ensures that safeguarding code is a collective responsibility, delivering secure applications faster without unnecessary delays.

What strategies should CISOs use to ensure that application risk management remains a dynamic, continuous process rather than a periodic assessment?

To keep application risk management a dynamic, continuous process, CISOs integrate security into every stage of software development. Instead of relying on periodic assessments, organisations should implement real-time risk analysis, continuous monitoring, and feedback mechanisms to enable teams to address vulnerabilities promptly as they arise, rather than waiting for scheduled evaluations. Incorporating automation can also play a key role in streamlining this process, enabling quicker remediation of identified risks.

Building on this, creating a security-first mindset across the organisation – through training and clear communication – ensures risk management adapts to new threats, supporting both innovation and compliance.

How can an organisation evaluate the maturity of its application risk management programme, and what metrics can they use to measure risk reduction over time?

Evaluating the maturity of an application risk management programme begins with benchmarking processes against the four established stages of AppSec maturity: Reactive, Baseline, Expanded, and Advanced. Each stage of this framework provides a guide to identifying where each organisation stands in terms of integrating security into their SDLC. Key metrics to measure risk reduction over time include vulnerability trends, remediation speed, and compliance with security standards.

Vulnerability trends are particularly revealing; monitoring the number of vulnerabilities identified during development compared to those discovered in production can provide valuable insights. Remediation time – the average time taken to remediate identified vulnerabilities – as well as security debt, measures the accumulation of unresolved vulnerabilities at each stage.

A clear focus on these indicators, combined with regular reviews, executive support, and developer engagement, creates a continuous improvement cycle. This not only gives insight into an organisation’s current state, but also enhances its overall security posture by ensuring the AppSec programme evolves to meet emerging threats.