One of the great aspects of conferences like Black Hat in Las Vegas is the unscripted and candid conversations that take place. Journalists meet with industry experts to talk security trends, vendors talk to potential customers about their challenges and learn more about meeting market demands and, of course, attendees have impromptu discussions about the presentations. It's all great stuff. Less frequently are these conversations recorded — but that's just what online cybersecurity news hub Dark Reading did during the conversation between Chris Wysopal, CTO and cofounder of CA Veracode, and Sara Peters, senior editor at Dark Reading.
Peters started the conversation by saying that security "all comes back to code," with Wysopal pointing out, "The state of application security is spotty." The data from CA Veracode's recent State of Software Security Report: Focus on Industry Verticals supports this assertion.
The report found that there is major disparity in the maturity of AppSec programs in different industries. Manufacturing and financial services are fairly mature, while it may come as no surprise to learn that the government is pretty bad at application security. The report examines the disparity between industries more deeply and speculates on why some industries do better than others.
Moving on from the general state of application security, Sara and Chris also touched on the issues that keep security professionals awake at night. Chris pointed out the sad fact that even though security professionals are worried about application security, this isn't necessarily where their budget is going.
Why aren't budgets being allocated to the areas security professionals are identifying as key causes for concern? The focus on compliance or sensationalized risk leaves security professionals with little in the way of resources to address the real threats that cause breaches – like vulnerabilities in the application layer.
How can security and risk professionals change the conversation around security? CISOs and security & risk professionals need to communicate with non-IT executives more effectively so that they can steer the conversation to be about the threats that the company is really facing, rather than the threats hyped by the media.
Sara and Chris touched on one of the media hyped threats – Stagefright. The Android vulnerability was dubbed the "Mobile Heartbleed" and was discussed in more depth during the conference. Chris offered some insight into why the fear around Stagefright isn't just media hype and why component vulnerabilities are so challenging.
You can hear Sara and Chris's full conversation here.