About the Client

A leading global energy company with a diverse portfolio spanning oil & gas, petrochemicals, petroleum products, and clean energy solutions. Committed to achieving net-zero carbon emissions by 2050, the client is actively supporting a responsible and just transition to a low-carbon energy future.

Project Overview

The client's Cybersecurity division launched a Secure Software Program, integrating a robust governance framework and a sustainable change management approach. The goal: upskill both cybersecurity and software development teams in Secure by Design and Privacy by Design principles.

Objectives

• Develop an Application Security Verification Procedure aligned with the client's Secure Software Development Control Guideline, based on NIST SSDF and OWASP ASVS
• Create a Secure Code Review Manual as a foundational element of the client's broader application security strategy.

AppFuxion's Role

As the cybersecurity consulting partner, AppFuxion provided expert guidance on secure software development frameworks aligned with global standards including NIST SSDF, OWASP, and TOGAF Security Architecture.
Our services included:

• Cybersecurity Framework Consultancy
• Secure Software Development Lifecycle Integration
• Custom policy and guideline development
• Risk-based remediation planning and prioritization

Our approach emphasized localized, practical implementation—ensuring scalable and sustainable practices for secure coding and threat mitigation throughout the software lifecycle.

Key Challenges & Solutions

1. Aligning Diverse Stakeholders
   

   The client needed a unified application security standard to bridge gaps between Cybersecurity Assurance and technical teams. Stakeholders had differing views on how to adopt OWASP ASVS.

   ✅ Our Approach: We facilitated multi-team workshops to align perspectives, demonstrated real-world use cases, and localized OWASP ASVS to fit the client's Secure Software Development Guidelines. We also mapped OWASP Top 10 (Web, Mobile, API) to the client's threat model for better context.

2. Mapping Business Risk to Security Controls
   

   Another challenge was translating the client's Business Impact Analysis (BIA)—which includes hundreds of business controls—into a relevant and actionable matrix mapped to the chosen security standards.

   ✅ Our Approach: Working closely with the Cybersecurity Assurance team, we developed a comprehensive mapping table connecting BIA business controls to security verification requirements. Through focused workshops, we achieved consensus in under four sessions.

Outcomes & Success Metrics

• Established a unified, risk-aligned Application Security Verification baseline
• Delivered a Secure Code Review Manual tailored to the client’s environment
• Strengthened internal alignment across Cybersecurity, IT, and Development functions
• Achieved rapid stakeholder consensus through collaborative engagement

Our approach emphasized localized, practical implementation—ensuring scalable and sustainable practices for secure coding and threat mitigation throughout the software lifecycle.

Key Success Factor:

A strong partnership between AppFuxion and the client’s Cybersecurity Assurance team, marked by transparency, iteration, and shared commitment to long-term impact.