Sign up for emails
Close iconClose icon

Application security is changing

Learn how to do more without getting more resources.
A set of four blue frames with people on them.
Community
Live sessions
Embodied by leaders at:

The next virtual conference is October 15th

Register Now

What is LeanAppSec?

LeanAppSec is a philosophy that reduces risk without increasing resources. Much like lean manufacturing revolutionized production by focusing on efficiency and eliminating waste, application security needs a similar mindset shift.

Through virtual conferences, videos, and articles, we’ll show you how to apply the LeanAppSec Principles at your organization.

Why Adopt LeanAppSec Principles?

Increased Efficiency and Reduced Waste

Streamlining processes, automating tasks, and integrating security earlier optimizes resource utilization and minimizes costly rework.

Faster and More Secure Development

Embedding security into the SDLC and making it demand-driven accelerates delivery while improving code quality and reducing vulnerabilities.

Stronger Collaboration and Risk Management

Fostering better communication and value-driven security leads to more effective risk mitigation and a stronger security posture.
PRINCIPLE 1

Know your value streams

How does AppSec add value to your business’s goals?

This principle involves deeply understanding your company's value. This isn't just about technical security metrics; it requires understanding value in terms of both business and customer objectives. Then map the value from those company value streams to the specific activities that application security teams perform.

A man with a turban and a beard.
A man with white hair and a suit jacket.
PRINCIPLE 2

Create flow

How can AppSec processes ensure you don’t waste your limited resources?

In the context of AppSec, this means establishing clean and continuously improved processes. Creating flow states for application security activities and engineering teams is essential. Continuous improvement is key; processes aren't static but should evolve to become ever more efficient.

PRINCIPLE 3

Implement pull-based systems

Where can AppSec activities coincide with SDLC activities?

Unlike push-based systems, where work is pushed onto other teams (often security pushing work onto developers), pull-based systems are demand-driven. For application security, implementing a pull-based system involves thinking about how to embed AppSec activities into the software development life cycle (SDLC) itself.

A woman in a green shirt is smiling.

Testimonial

We went to the C-suite to ask for more headcount to handle our vulnerability backlog, but they said no. Without more resources, we had to become more efficient with what we had. The outcome is far better than if we’d just added more staff. Developers are fixing risks. We’re meeting SLAs. And the AppSec team gets to focus on impactful project work.

Raphael Avatar
Raphael Theberge
Director of Security Enablement, Relativity

Past Episodes

Oct 29, 2024
2024 Fall / Why No One is Fixing Your Vulnerabilities You Find
Oct 29, 2024
2024 Fall / How to Use Compliance as a Driver for AppSec
Oct 29, 2024
2024 Fall / Why AppSec Priorities Shift