At the Core: A Summary of Gartner’s “A Guidance Framework for Building an Application Security Program”

In an era where digital transformation has accelerated the pace at which applications are developed, deployed, and consumed, the critical significance of application security has never been more pronounced. Malicious actors are increasingly turning their attention to web and mobile applications, seeking to exploit any chink in their digital armor. To counter these threats, organizations must cultivate a robust approach to application security that is both anticipatory and adaptive.

In “A Guidance Framework for Building an Application Security Program,” Gartner provides recommendations for security and risk management technical professionals focused on application security. In this comprehensive summary, we will dissect Gartner’s framework and highlight key points to fortify your digital assets and instill a proactive security posture within your organization.


The Pillars of Application Security

Gartner’s framework rests on four pivotal pillars, each addressing a crucial segment of application security: Governance, Architecture and Design, Implementation and Verification, and Operations. By addressing each pillar, organizations can systematically enhance their defenses against an array of potential threats.


An effective governance model acts as the backbone of any security program. According to Gartner, this should include:

  • “Establishing a presence in the SDLC
  • Establishing training and awareness initiatives
  • Defining and revising metrics and SLAs”

When establishing a presence in the SDLC, Gartner states, “The long-term goal should be a secure-by-design approach to application security. This means that security must be pervasive throughout the product life cycle including in the ideation, design, development, deployment and operations segments of the SDLC.” This echoes the “shift left” approach where security is incorporated early in the SDLC.

Architecture and Design

Within this pillar, Gartner details four steps:

  • “Use Threat Modeling to Identify Technical Exposures and Standard Mitigations
  • Identify Security Requirements
  • Draft and Publish Coding Standards
  • Enforce Use of Trusted Dependencies”

According to Gartner, “Following regulatory guidance alone is not a guarantee of security. Driving security purely by corporate policy and/or regulation reduces the likelihood of success for an application security program.”

Implementation and Verification

While the architecture sets the framework, implementation is where the actual fortification occurs. Within this pillar, Gartner encourages security and risk management professionals to:

  • “Verify code with AST tools
  • Scan dependencies
  • Secure the software supply chain”

With regards to implementation and verification, Gartner states, “Organizations looking to mature their application security programs should provide nonsecurity personnel (e.g., application developers) with access to AST tools while also enabling them with self-service capabilities. Such tools should fit well with existing development processes and technology, preferably having the results of AST scans easily available in existing development technologies, like CI/CD automation solutions. Security champions can be a force multiplier for these solutions by providing other team members with guidance on the issues being reported.”


The application security program does not culminate at deployment. Continuous monitoring and reaction to emergent threats are integral to its effectiveness. Within this final pillar of the framework, Gartner suggests organizations:

  • “Harden runtime infrastructure
  • Incorporate perimeter security controls
  • Secure and manage APIs”


Our opinion: How Quokka Aligns with Gartner’s Framework

The report states, “Security and risk management (SRM) technical professionals focused on application security should automate security verification and testing practices for applications.” Further, “Security must be seen as an integral part of the development processes and not a separate silo.”

Quokka’s Q-MAST solution enables organizations to effectively measure the security and privacy preparedness of their applications. Q-MAST offers a broad and in-depth range of tests covering every stage of the software development lifecycle (SDLC), from design to deployment, without source code access. With a design tailored for DevSecOps workflows, Q-MAST supports continuous, automated security testing that aligns with tools like Jenkins, GitLab, and GitHub.


The creation of an application security program is not a finite task; it is an ongoing mission that requires continual refinement and an adaptive approach. By adhering to the framework provided by Gartner and tailoring it to your organization’s specific needs, you can create an application security program that not only defends against threats but also fosters innovation securely.

For further reading and to understand the comprehensive insights and methodologies discussed, refer to Gartner’s “A Guidance Framework for Building an Application Security Program,” (For Gartner subscribers only) which provides in-depth analysis on evolving application security technologies and practices (Gartner, 2024).

Mobile security that makes you smile.

Sign up for our newsletter, The Quokka Intel Briefing

Copyright © 2024, Quokka. All rights reserved.