LAUNCH AN API-FIRST SECURE DEVELOPMENT STRATEGY

OBJECTIVE

Launch a multiyear initiative to build security services and APIs that developers can use to quickly incorporate high-
impact, reusable security functionalities into the applications without requiring specialized security skills and training.

HOW WE’LL MEET OUR OBJECTIVE

1. Provide developers with security functionalities as reusable services, similar to any other business functionalities.
2. Think strategically about how to stimulate the initial growth and build momentum for success by addressing
funding, API management, and developer engagement challenges.
3. Prioritize building APIs for core security functionalities that deliver high business and security impact.
4. Make API usage the default option for developers by partnering with key functions to embed tools and training in
developer ecosystems.

COMPANY SNAPSHOT

Bolt Financial Group

Industry: Financial Services Bolt Financial Group is a leading North American financial services company.

2016 Revenue: More Than $30 Billion

2016 Employees: More Than 75,000

1
Pseudonym.

© 2017 Gartner Inc. and/or its affiliates. All rights reserved. IREC173081
 1
To reduce the time
PROVIDE REUSABLE FUNCTIONALITIES
1

and effort required to

build security features
into applications, Using APIs to Expose Reusable Security Functionalities to Developers and Their Applications
provide developers
these functionalities as
reusable services, using
the enterprise’s existing
development platforms. Integrated Development Environment (IDE)
Allows developers to write code and build applications.
■■ Engage the individuals or
functions who manage the Application A Application B Application C
organization’s shared IT Mobile Payments Customer Analytics Order Processing
service and API platforms
to create a roadmap,
loop in key stakeholders,
and identify potential
roadblocks.

Information Security Bolt provides

API Layer
■■

worked with the Mid- developers with

Exposes all functionalities of business and security applications and services
Tier Architecture reusable security
group to integrate functionalities as
security into Bolt’s services and to
microservice architecture expose them to
Business Applications and Services Enterprise Business
transformation. developers via API.
Aligns IT applications and services Data
to business functionalities Stores and secures
data for use in
The goal is to Customer Experience Functionalities business applications
enable security and services
functionalities such Finance Functionalities
as authentication
and authorization
the same way Workforce Functionalities
as customer
experience, finance,
Security Functionalities
and other business
functionalities.
Source: Bolt Financial Group; CEB analysis.

1
Pseudonym.

© 2017 Gartner Inc. and/or its affiliates. All rights reserved. IREC173081
 2
An API-first strategy
PLAN FOR THE SHORT- AND LONG TERM
1

will succeed only if

momentum and support
continue to build; Anticipating and Addressing Key Challenges in Implementing an API-First Strategy
this requires active
management by Security.
■■ After demonstrating
early value from a proof
of concept project,
Information Security
was able to make a more Ongoing
robust case for expanding
the funding available to Initial Phase
match the desired scope
of the program.
■■ API ownership can rest Program Component Prime the Pump Sustain Momentum
with Security, development
teams, or other functions Program Funding Start with a small, easily funded proof Document improved security,
such as Enterprise of concept to demonstrate business developer time savings, and other
Architecture; however,
value and attract interest from benefits to support increased funding
the enterprise should
stakeholders. for the program.
establish centralized API
management.
API Management Create an API architecture that Establish owners for APIs who are
allows for the adoption of public and incentivized on their adoption, and
private APIs as well as their lifecycle supply these owners with consumption
management. metrics and user feedback channels to
guide their API lifecycle management.

API Consumption Introduce security services and APIs Set expectations with Applications
as part of the broader development leaders that their teams meet
ecosystem by plugging into existing progressively higher consumption
processes and workflow. targets for security functionalities;
eventually tighten policies and
standards over API use when not overly
burdensome on developers.

Source: Bolt Financial Group; CEB analysis.

1
Pseudonym.

© 2017 Gartner Inc. and/or its affiliates. All rights reserved. IREC173081
 3
To maximize the value
PRIORITIZE CORE FUNCTIONALITIES
1

of the API program to

developers, take into
account business demand Using Business and Security Impact Criteria to Guide API Prioritization
and impact, not just
security needs.
■■ Core security
functionalities are
typically required for High
baseline security in most Do First: Start by building APIs for core
applications (see list at security functionalities that deliver high
right). business and security impact:
■■ Authentication

■■ Domain-specific ■■ Authorization

functionalities are required ■■ Encryption

■■ Logging and auditing

in some but not all
■■ Key management
applications:
Business Impacta

■■ Access governance tools

–– Cloud access security

brokering (CASB) for
web-based applications
–– Secure web gateways Do Next: Many domain-specific
(SWG) functionalities don’t peak on both security
–– Runtime application self- and business impact criteria; however, they
protection (RASP) are good candidates for expanding the
program.
–– User and entity
behavioral analytics
(UEBA) Do Later: By taking both business and
security impact criteria into account,
–– Mobile threat detection Information Security can avoid prioritizing
seemingly obvious but ultimately wrong
Low choices.
Low Security Impactb High
Source: Bolt Financial Group; CEB analysis.
a
Business Impact = Frequency of use; potential speed and productivity gains for developers; direct business or developer demand.
b
Security Impact = Severity of controls maturity gap relevant to the functionality.

See the Implementation

Guide for an overview
of Bolt’s Security
Functionalities Catalog. 1
Pseudonym.

© 2017 Gartner Inc. and/or its affiliates. All rights reserved. IREC173081
 4
Identify cross-functional
DRIVE API CONSUMPTION
1

partners who can help

drive API consumption
by embedding security Driving API Adoption Through Governance and Marketing
tools and training in
developers’ existing
ecosystems and
workflows.
What kind of help Who has the How can they help us drive
do we need? expertise we need? API consumption?
■■ Bolt’s Information Security
team partners with Integrating security ■■ Incentivize API
Enterprise Architecture, functionalities into consumption by amending
which manages the developers’ broader policies and governance
broader ecosystem of ecosystem because mechanisms.
developer-facing tools Information Security ■■ Approve shared
and resources, to promote lacks control over components, libraries, and
Governance the list of approved reference architectures to
use of security; in some
companies, other groups tools and resources accelerate new services.
Enterprise Provide access to support
will own management
■■
Architects and knowledge sharing
and delivery of developer
(e.g., communities of
toolsets.
practice).
■■ Bolt formally trains and
certifies senior developers
to perform the role of
security champion and Information Development
incentivizes them to drive Security Teams
API consumption by Socializing API ■■ Evangelize API adoption
developers. adoption among to development teams and
the developer Applications leaders.
community ■■ Teach API best practices
Marketing because developers in one-on-one and team
inherently worry coaching settings.
about Information Security ■■ Write custom user stories
Security slowing Champions that drive API usage.
them down
Source: Bolt Financial Group; CEB analysis.

1
Pseudonym.

© 2017 Gartner Inc. and/or its affiliates. All rights reserved. IREC173081
 5
Bolt dramatically
RESULTS
1

improved developers’
willingness and ability to
build security features
into their applications Information Security Received Additional
and approved $2.4 Funding to Expand the Program
million in funding to Investment Level
expand the API program.

$2,500,000 6x
$2,400,000
500%
Increase

“Being able to plug in security

features via API is a huge time

$1,250,000
saver and keeps me focused on
what really matters: shipping code.”
Front-End Software Developer
Bolt Financial Group
1x
$400,000

$0
Before After
Source: Bolt Financial Group; CEB analysis.

1
Pseudonym.

© 2017 Gartner Inc. and/or its affiliates. All rights reserved. IREC173081
 6
IMPLEMENTATION GUIDE

BOLT’S SECURITY FUNCTIONALITIES CATALOG

1

Bolt’s Security Functionalities Organized by Category and Controls Class

Category Functionalities Controls Class

Identity and Access Provisioning/De-Provisioning, Authentication,a ID Provider, Authorization,a Protective/Preventative

Management Federation,a RBAC, Request, PAM

Web Security Proxies, Reverse Proxies/Access Gateways, Web Filtering, SSL Decryption, Phishing Protective, Detective,
Site Blocking, E-Mail-Security, Web Monitoring, Anti-Spam, Web Threat Detection Reactive

Encryption VPN, Certificate and Encryption Key Management,a Virtual Storage, Protective
Communications Encryption, Application Encryption, Database Encryption, Digital
Signatures

Network Security Network Segmentation, Firewalls, Web App Firewalls, DDoS, DLP, IR Management, Detective, Protective,
IDS/IPS, Security Gateways, AV/Malware Reactive

Security Information Log Management,a Event Correlation, Security/Incident Response, Scalability, Log/ Detective
and Event Management Event Storage, Search

Security Assessments Vulnerability Assessments,a Internal/External Pen-Tests, Virtual Infrastructure Detective

Assessments, Cloud Assessments, Code Assessments (Dynamic/Static)a

E-Mail Security DLP for E-Mail, Content Security, E-Mail Encryption, Anti-Virus/Anti-Malware Protective, Detective,
Reactive

Intrusion Management Packet Inspection, Identification/Prevention of Intrusions and Policy Violations, IR Detective, Protective,
Management Reactive

Business Continuity and Backup, File Recovery, Third-Party Agreements, Replication, Disaster Recovery Reactive, Protective,
Disaster Recovery Detective

Source: Bolt Financial Group; CEB analysis.

a
APIs completed/in progress.

1
Pseudonym.

© 2017 Gartner Inc. and/or its affiliates. All rights reserved. IREC173081
 7
IMPLEMENTATION GUIDE

BOLT’S BUSINESS CASE FOR SECURITY FUNCTIONALITIES

1

Funding Requested to Deliver Standard Security Investment Breakdown

Functionalities for Application Development

13%
1. Build security services required for core
Pro Fees
Key Deliverables

security functions. for System

Configuration
58%
29% Software and
Talent and Licensing
2. Implement solutions into prioritized projects Staffing
with reusable patterns and code.

Challenge Solution

■■ One-off security implementations in applications do not ■■ Standardize the process of securing applications.
provide scalability. ■■ Provide easily consumable microservices for application
■■ Security is mostly done on a bespoke basis. development teams.
■■ Systems do not scale for enterprise use. ■■ Build sustainable and scalable security functionalities.
■■ Each application development group rebuilds the integration
layer for security.

Source: Bolt Financial Group; CEB analysis.

1
Pseudonym.

© 2017 Gartner Inc. and/or its affiliates. All rights reserved. IREC173081
 8
IMPLEMENTATION GUIDE

SECURITY CHAMPION PROFILE AND CERTIFICATION PROCESS

1

AppSec Educa+on Curriculum (Career Path)

OBJECTIVE Develop a security aware SDLC community and culture where Bolt develops secure applications in a natural manner

LEVEL 1 2 3 4 5
SECURE SOFTWARE
FUNDAMENTALS OF
PRACTITIONER LEARNING BY APPSEC WARRIOR APPSEC CHAMPION
APPLICATION
(SSP) LEARNING PLAYING PROGRAM PROGRAM
SECURITY
PROGRAM
BASIC INTERMEDIATE ADVANCED
KNOWLEDGE Series of mandatory Series of optional TalentLink Gamification Learning 9-Month In-Class & Self-Paced Intensive 3-Month Coaching
LEVEL TalentLink courses assigned courses Platform Learning Program Program (2 people per
to job codes quarter)
Key AppSec terminology Foundational elements Secure coding Similar to AppSec OWASP Risks / SANS
CAPABILITIES q  q  q  q  q 
q  Trending technologies & of software security technique Champion Program - Coding Errors
their implications q  Language-specific q  Vulnerable code lighter curriculum over 9 q  CSSLP certification
q  SDLC roles secure coding identification months instead of 3 q  WebGoat
q  Get ISC² certified & earn q  Hands-on vulnerability months q  Security Assessment
an SSP badge exploitation q  BSIMM Model
q  Advanced Security Tools

Being developed,
STATUS Launching June 2017 (Attention) TBD 2018
launching Q4 2017
In Progress

VP Roadshows VP Roadshows
COMMUNICATION q 
Email directly to Audience
q 
ü  VP Roadshows
q  ü  TBD 2018 q  Bolt Connect blogs
PLAN q  Bolt Connect sites q  Word of Mouth
ü  Bolt Connect blogs

DEVELOPING COMMUNICATION/MARKETING PLAN TO LAUNCH A COMPLETE “APPSEC CAREER PATH” *

Application Security – FY2017 Update to LoB Executive Team *Excluding AppSec Champion Program as it involves an application/nomination process 0

Source: Bolt Financial Group; CEB analysis.

1
Pseudonym.

© 2017 Gartner Inc. and/or its affiliates. All rights reserved. IREC173081
 9