Application security is awesome, learn when to start with it.
To get the answer imagine you move to a new apartment and decide to equip it with a fire extinguisher.
It can be really of help in case of fire but... it does not have legs, arms, brains, and skills to fight fire by itself. Fire alarm, flood control, construction netting, etc. do the same—they all require skills for further actions.
Having a fire extinguisher doesn’t prevent fire, but certainly, it reduces the risks of burning down.
Similarly, appsec helps companies to diminish business risks and stay successful as long as it is possible.
⟰ ⟰ ⟰ ⟰ ⟰ ⟰ ⟰ ⟰ ⟰ ⟰ ⟰ ⟰ ⟰ ⟰
In your case, first, identify and assess your business risks.
Risk assessment does not provide absolute numbers, it deals with events and probability—find out what pitfalls your product can meet on its way and their magnitude.
By adding stronger security controls you avoid potential threats and minimize their impact.
💎 The rule of thumb is: mind the loss and watch the money.
In application security, you can do less if there's nothing to lose and do more if you have crown jewels to secure or want no more security fixes, financial, legal or reputational aftermaths.
So, relax if you can afford loss to happen and feel pretty sure you can overcome it with no stress. Start with a risk mitigation strategy if you can not bear it.
The latter choice will bring you and your calculator to your company strategic plans, technical assets, potential threat events and worst-case scenarios, etc. At this point you will get acquainted with existing risk assessment frameworks.
💎 If you haven’t heard anything about typical application security mistakes, start with OWASP Top Ten (take the bare bones or follow the rabbit to open a whole brand-new world) and regulations applicable to your project (GDPR, PCI DSS, etc.). This will give you an overview of technical aspects and organisational procedures to keep in mind. Then deepen your knowledge with OWASP ASVS, OWASP MASVS, OWASP SAMM.
💎 Next level of risk assessment adventure will lead you to FAIR, a quantitative model for information security and operational risk. Through rather simple to follow instructions and mathematical formulae it will help you to measure security risks.
💎 Down under these levels, there lie deep waters and pleasures of NIST and hundreds of pages of its Risk Management Framework for Information Systems and Organizations document (NIST SP 800-37) designed for large enterprises. It explains how big organisations handle information security risks.
To get closer to applied risk/data management, you can look through the materials from the workshop on security data management for appdevs by Anastasiia Voitova or follow her/@vixentael and @Cossack Labs for future talks/workshop announcements and updates, like this: