{"id":40209,"date":"2021-03-29T16:00:23","date_gmt":"2021-03-29T16:00:23","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=93210"},"modified":"2021-03-29T16:00:23","modified_gmt":"2021-03-29T16:00:23","slug":"how-to-build-a-successful-application-security-program","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/","title":{"rendered":"How to build a successful application security program"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/03\/CLO20b_Madeleine_office_007.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p><em>The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In&nbsp;the&nbsp;latest Voice of the Community blog&nbsp;series post, Microsoft Product Marketing Manager <a href=\"https:\/\/www.linkedin.com\/in\/nataliagodyla\/\" target=\"_blank\" rel=\"noopener noreferrer\">Natalia&nbsp;Godyla&nbsp;<\/a>talks with&nbsp;Tanya Janca, Founder of&nbsp;<a href=\"https:\/\/www.wehackpurple.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">We Hack Purple Academy<\/a> and author of the best-selling book \u201c<a href=\"https:\/\/academy.wehackpurple.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Alice and Bob Learn Application Security<\/a>.\u201d Previously, Tanya shared her perspectives on the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/03\/11\/the-biggest-challenges-and-important-role-of-application-security\/\" target=\"_blank\" rel=\"noopener noreferrer\">role of application security (AppSec)<\/a> and the challenges facing AppSec professionals. In this blog, Tanya shares how to build an AppSec program, find security champions, and measure its success.<\/em><\/p>\n<p><strong>Natalia: When you\u2019re building an AppSec program, what are the objectives and requirements?<\/strong><\/p>\n<p><strong>Tanya:<\/strong> This is sort of a trick question because the way I do it is based on what\u2019s already there and what they want to achieve. For Canada, I did antiterrorism activities, and you better believe that was the strictest security program that any human has ever seen. If I\u2019m working with a company that sells scented soap on the internet, the level of security that they require is very different, their budget is different, and the importance of what they\u2019re protecting is different. I try to figure out what the company\u2019s risks are and what their tolerance is for change. For instance, I\u2019ve been called into a lot of banks and they want the security to be tight, but they\u2019re change-adverse. I find out what matters to them and try to bring their eyes to what should matter to them.<\/p>\n<p>I also usually ask for all scan results. Even if they have almost no AppSec program, usually people have been doing scanning or they\u2019ve had a penetration test. I look at all of it and I look at the top three things and I say, \u201cOK, let\u2019s just obliterate those top three things,\u201d because quite often the top two or three are 40 to 60 percent of their vulnerabilities. First, I stop all the bleeding, and then I create processes and security awareness for developers. We\u2019re going to have a secure coding day and deep dive into each one of these things. I\u2019m going to spend quality time with the people who review all the pull requests so they can look for the top three and start setting specific, measurable goals.<\/p>\n<p>It\u2019s really important to get the developers to help you. When you have a secure coding training, a bunch of developers will self-identify as the security developer. There will be one person who asks multiple questions. We\u2019re going to get that person\u2019s email. They\u2019re our new friend. We\u2019re going to buy that person some books and encourage open communication because that person is going to be our security champion. Eventually, many of my clients start security champion programs and that\u2019s even better because then you have a team of developers\u2014hopefully one per team\u2014that are helping you bring things to their team\u2019s attention.<\/p>\n<p><strong>Natalia: What are some of the key performance indicators (KPIs) for measuring security posture?<\/strong><\/p>\n<p><strong>Tanya:<\/strong> As application security professionals, we want to minimize the risk of scary apps and then try to bring everything across the board up to a higher <a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/security-center\/\" target=\"_blank\" rel=\"noopener noreferrer\">security posture<\/a>. Each organization sets that differently. For an application security program, I would measure that every app receives security attention in every phase of the <a href=\"https:\/\/www.microsoft.com\/en-us\/securityengineering\/sdl\/\" target=\"_blank\" rel=\"noopener noreferrer\">software development life cycle<\/a>. For a program, I take inventory of all their apps and APIs. Inventories are a difficult problem in application security; it\u2019s the toughest problem that our field has not solved.<\/p>\n<p>Once you have an inventory, you want to figure out if you can do a quick dynamic application security testing (DAST) scan on everything. You will see it light up like a Christmas tree on some, and on others, it found a couple of lows. It\u2019s not perfect, but it\u2019s what you can do in 30 days. You can scan a whole bunch of things quickly and see OK, so these things are terrifying, these things look OK. Now, let\u2019s concentrate on the terrifying things and make them a little less scary.<\/p>\n<p><strong>Natalia: Do you have any best practices for threat modeling cloud security?<\/strong><\/p>\n<p><strong>Tanya:<\/strong> For threat modeling generally, I introduce it as a hangout session with a security person and try not to be too formal the first time, because developers usually think, \u201cWhat is she doing here? Danger, Will Robinson, danger. The security person wants to spend time with us. What have we done wrong?\u201d I say, \u201cI wanted to talk about your app and see if there\u2019s any helpful advice I can offer.\u201d Then, I start asking questions like, \u201cIf you were going to hack your app, how would you do it?\u201d<\/p>\n<p>I like the <a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Farchive%2Fmsdn-magazine%2F2006%2Fnovember%2Funcover-security-design-flaws-using-the-stride-approach&amp;data=04%7C01%7Cv-coujones%40microsoft.com%7Cce610b01db4a4dfc723308d8efdc800b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637523077606221514%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=O4MwsFOlC3d3%2Fx%2FeMFJqbKgF1hEktca9y92xlQoq9ds%3D&amp;reserved=0\" target=\"_blank\" rel=\"noopener noreferrer\">STRIDE methodology<\/a>, where each of the letters represents a different thing that you need to worry about happening to your apps. Specifically, spoofing, tampering, repudiation, information disclosure, denial of service (DOS), and elevation of privilege. Could someone pretend to be someone else? Could someone pretend to be you? I go through it slowly in a conversational manner because that app is their baby, and I don\u2019t want them to feel like I\u2019m attacking their baby. Eventually, I teach them STRIDE so they can think about these things. Then, we come up with a plan and I say, \u201cOK, I\u2019m going to write up these notes and email them to you.\u201d Writing the notes means you can assign tasks to people.<\/p>\n<p>With threat modeling in the cloud, you must ask more questions, especially if your organization has had previous problems. You want to ask about those because there will be patterns. The biggest issue with the cloud is that we didn\u2019t give them enough education. When we\u2019re bringing them to the cloud, we need to teach them what we expect from them, and then we\u2019ll get it. If we don\u2019t, there\u2019s a high likelihood we won\u2019t get it.<\/p>\n<p><strong>Natalia: How can security professionals convince decision-makers to invest in AppSec?<\/strong><\/p>\n<p><strong>Tanya:<\/strong> I have a bunch of tricks. The first one is to give presentations on AppSec. I would do lunch and learns. For instance, I sent out an email once to developers: \u201cI\u2019m going to break into a bank at lunch. Who wants to come watch?\u201d and then I showed them this demo of a fake bank. I explained what <a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/relational-databases\/security\/sql-injection?view=sql-server-ver15\" target=\"_blank\" rel=\"noopener noreferrer\">SQL injection<\/a> was and I explained how I\u2019d found that vulnerability in one of our apps and what could happen if we didn\u2019t fix it. And they said, \u201cWoah!\u201d Or I\u2019d ask, \u201cWho wants to learn how to hack apps?\u201d and then I showed them a DAST tool. I kept showing them stuff and they started becoming more interested.<\/p>\n<p>Then, I had to interest the developer managers and upper management. Some were still not on board because this was their first AppSec program and my first AppSec program. No one would do what I said, and I had all these penetration test results from a third party, and we had hired four different security assessors and they\u2019d reported big issues that needed to be addressed.<\/p>\n<p>So, I came up with a document called the risk sign-off sheet, which listed all the security risks and exactly what could happen to the business. I was extremely specific about what worried me. I printed it and I had a sign-off for the Director of Security for the whole building and the Chief Information Officer of the entire organization. I went to them and said, \u201cI need your signature that you accept this risk on behalf of your organization.\u201d I put a little note on the risk sign-off sheet that read: Please sign.<\/p>\n<p>The Director of Security called and said, \u201cWhat is this, Tanya?\u201d and I told him, \u201cNo one will fix these things and I don\u2019t have the authority to accept this risk on behalf of the organization. Only you do. I don\u2019t have the authority to make these people fix these things. Only you do. I need you to sign to prove that you were aware of the risks. When we\u2019re in the news, I need to know who\u2019s at fault.\u201d Both the CIO and the Director of Security refused to sign, and I said, \u201cThen you have to give me the authority. I can\u2019t have the responsibility and not have the authority\u201d and it worked. I\u2019ve used it twice at work and it worked.<\/p>\n<p>It\u2019s also important to explain to them using words they understand. The Head of Security, who is in charge of physical security and IT security, was a brilliant man but he didn\u2019t know AppSec. When I explained that because of this vulnerability you can do this with the app, and this is what can result for our customers, he said, \u201cOh, let\u2019s do something.\u201d I had to learn how to communicate a lot better to do well at AppSec because as a developer, I would just speak developer to other developers.<\/p>\n<h2>Learn more<\/h2>\n<p>To learn more about Microsoft Security solutions <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/solutions\" target=\"_blank\" rel=\"noopener noreferrer\">visit our website.<\/a>&nbsp;Bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/\" target=\"_blank\" rel=\"noopener noreferrer\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us at&nbsp;<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noopener noreferrer\">@MSFTSecurity<\/a>&nbsp;for the latest news and updates on cybersecurity.<\/p>\n<p> READ MORE <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/03\/29\/how-to-build-a-successful-application-security-program\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Tanya Janca, Founder of the We Hack Purple Academy, talks with Microsoft about how to build an application security program and measure its success.<br \/>\nThe post How to build a successful application security program appeared first on Microsoft Security. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":40210,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[347,9127],"class_list":["post-40209","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-cybersecurity","tag-voice-of-the-community"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How to build a successful application security program 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to build a successful application security program 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-03-29T16:00:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/how-to-build-a-successful-application-security-program.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-build-a-successful-application-security-program\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-build-a-successful-application-security-program\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"How to build a successful application security program\",\"datePublished\":\"2021-03-29T16:00:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-build-a-successful-application-security-program\\\/\"},\"wordCount\":1589,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-build-a-successful-application-security-program\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/how-to-build-a-successful-application-security-program.jpg\",\"keywords\":[\"Cybersecurity\",\"Voice of the Community\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-build-a-successful-application-security-program\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-build-a-successful-application-security-program\\\/\",\"name\":\"How to build a successful application security program 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-build-a-successful-application-security-program\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-build-a-successful-application-security-program\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/how-to-build-a-successful-application-security-program.jpg\",\"datePublished\":\"2021-03-29T16:00:23+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-build-a-successful-application-security-program\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-build-a-successful-application-security-program\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-build-a-successful-application-security-program\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/how-to-build-a-successful-application-security-program.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/how-to-build-a-successful-application-security-program.jpg\",\"width\":1200,\"height\":800},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-build-a-successful-application-security-program\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/cybersecurity\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How to build a successful application security program\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to build a successful application security program 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/","og_locale":"en_US","og_type":"article","og_title":"How to build a successful application security program 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-03-29T16:00:23+00:00","og_image":[{"width":1200,"height":800,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/how-to-build-a-successful-application-security-program.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"How to build a successful application security program","datePublished":"2021-03-29T16:00:23+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/"},"wordCount":1589,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/how-to-build-a-successful-application-security-program.jpg","keywords":["Cybersecurity","Voice of the Community"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/","url":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/","name":"How to build a successful application security program 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/how-to-build-a-successful-application-security-program.jpg","datePublished":"2021-03-29T16:00:23+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/how-to-build-a-successful-application-security-program.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/03\/how-to-build-a-successful-application-security-program.jpg","width":1200,"height":800},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-successful-application-security-program\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity","item":"https:\/\/www.threatshub.org\/blog\/tag\/cybersecurity\/"},{"@type":"ListItem","position":3,"name":"How to build a successful application security program"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/40209","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=40209"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/40209\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/40210"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=40209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=40209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=40209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}