A CISO’s Guide To Application Security – Part 5: Justifying an Investment in AppSec

This post is the last in a 5-part series on Application Security, or “AppSec”. By Fergal GlynnThis blog post series has examined the growing threats to software, defined the components of a sound AppSec program, described an evolutionary path to AppSec maturity, and considered a number of tools and technologies worthy of investment. Ultimately, it is the Chief Information Security Officer (CISO) or equivalent’s responsibility to mitigate the enterprise’s level of software risk as part of a comprehensive infosec strategy. In this, the final post in this series, let’s review the return on investment possible from a sound AppSec program, including ways to build a business case for further investment in this critical IT security discipline.


It’s been more than 10 years now since Microsoft began the initiative that would eventually become Trustworthy Computing, and while the effects it’s had inside the company have been well documented, the utility and adoption of the Security Development Lifecycle by outside organizations and customers is less well-known. Several large organizations have adopted the SDL, either in whole or in part, and Microsoft executives say that the effects on these organizations are going to be just as important as they were for Microsoft.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.