The term "Enterprise Web Application Security Program" has been evolving.  Generally referring to a corporate IT program which includes web application code in some way and has traditionally meant either a white-box approach or a black-box approach, either through the use of tools or the use of a 3rd party for the assessment.

No matter how you look at it, that's all completely wrong.

First off the thought that a "security program" would begin with code is a failure to launch, in my experience.  Web application security deals so much more with non-code items than we'd like to believe, but rarely address.  These topics include hosting, server hardening, user-management, and a few others I'm forgetting now.  The point is before you can bulid a strong web application security program that withstands not only economic cycles but business trends you have to understand what it is you're building.  Much like a home, you can't change plans after the foundation has been laid...or else you will fail.

There are some fundamental components you must consider before you start to lay the foundation for your Enterprise Web Application Security Program... here are some of the most important ones that have to be addressed from day one...

1. Intended purpose - In order to solve a problem you must know what that problem is; you must understand what the purpose of the program you're building is going to be in business terms.
2. Long-term vision - Define what you see this program evolving into 6, 12, and 18+ months down the road; clearly identifying a long-term goal will assure that you don't start straying in different directions as you progress
3. Success criteria - There must be a clear definition of how success or failure will be measured; if there is no way to measure failure you will never understand if you've succeeded (or failed) in your goals.  Setting realistic success criteria in a concrete context (as opposed to "secure the company's web applications") makes it real to reach those goals and achieve success, while setting milestones helps you focus on making little changes over time that don't happen overnight
4. Metrics - Setting success criteria and having clear metrics go hand-in-hand when building a framework and foundation for a successful program.  Just as you have to have a goal you must be able to measure that goal accurately, at any given point along your path in order to assess your rate of success
5. Scope - While it may sound rudimentary to say that your program must have scope it is not to be confused with vision or success criteria.  Scope can keep your program in-focus and prevent creep into areas you are not equipped to handle.  Scope-creep is one of the most widely identified preventatives to success... if the finishline is always moving you will never be able to reach it
6. Identified starting point - Yes, it's critical to identify where you are starting- this goes back to gathering metrics and measuring success.  Very rarely does a program start at "nothing" actually; there is always some degree of movement already - you must quickly identify your starting point so as to build from that point forward

There you have it - there are six (6) identified components to a foundational approach to building an enterprise web application security program.  If you're starting to put together a framework for such a program; no matter whether it's due to compliance needs or internal pressures, make sure you understand at least those six pieces.  Write them down, remind yourself regularly of their existence.

 As master Yoda said - "Do, or do not do, there is no try".

Next time we will address framing that first step of building your program - the policy.