Software builders and developers just can't agree. That's the takeaway from a recent SANS white paper, entitled "2015 State of Application Security: Closing The Gap." The report found that while software creators and security experts both identified three top security challenges, these challenges were completely different. In an IT world informed by rapid technology development and rapidly increasing reliance on cloud-based applications, this is a recipe for disaster. How can builders and defenders ensure they're on the same page when it comes to security?
For builders, the biggest challenges relate to market forces and funding. Topping the list is a need to deliver app features on time; with ever-shorter product cycles quickly becoming the norm, app security is among the first "add-on" cut from any builder project. A lack of skills to build this kind of secure software is also a concern, along with a lack of management funding or support for improved security from the ground up when other features are more cost effective. The result? Builders often look for "someone else" to handle security, giving the impression that they're trying to foist bad code on other departments rather than fixing their own problems.
The top three security challenges for defenders? Identifying every application in a company's app portfolio grabs the number one spot, followed by fear of modifying code and possibly "breaking" an app. Communications silos round out the top three, since security pros know the results can be disastrous when development, defense and other departments don't communicate.
Making this more difficult is that some of the information needed to take stress off of defender teams comes directly from builders — since they're designing and leveraging business applications at scale, they could easily provide accurate counts of total app numbers. And while builders look for other teams to handle the security end of application building, defenders often encounter user resistance by trying to "force" better security through compliance reviews and penetration testing, rather than looking for ways to bake-in network protection at the builder level.
While the security challenges cited by both defenders and builders are relevant and require attention, there are bigger problems on the horizon. As noted by Computer World, for example, software development remains a critical point of failure for security. And when companies factor in the cloud, things get even more worrisome. Security Innovation Europe points out that data breaches caused by XSS, XSRF, SQL injection and other vulnerabilities have far greater impact when resources are leveraged via public providers or shared servers.
In some cases, even the efforts made by companies to improve code security have the opposite effect. According to Tech Republic, for example, the benefits of closed source code to protect valuable assets and defend against malicious tampering are often counterbalanced by the expense of finding reliable, independent code review and the fact that great code writers often leverage open source options to develop best-of-breed apps.
Bottom line? Builders and defenders can't afford to face off against each other — the increasing speed of app development, coupled with rapid cloud adoption, demands that these departments find common ground.
According to the SANS report, there's hope that builders and defenders can meet in the middle; both define web, mobile and cloud technologies as top threat vectors and are moving to combat these issues. But focusing on end results is just the beginning. To effectively tackle security challenges on both ends of the business spectrum, it's critical for these departments to develop practical, actionable ways they can implement security at every stage of the development lifecycle, eliminating the tendency of builders to place this responsibility on other business silos, and of security teams to feel like they're alone in the fight.
By developing an application security plan that includes compliance in design, multiple testing and fix methods such as dynamic application security testing (DAST), fuzzing, code reviews, root cause analysis and web application firewalls (WAF), along with high-level information governance (IG) and oversight, it's possible to craft an application design environment that both speaks to builders' creative tendencies and satisfies defenders' needs to secure sensitive code.
The top three challenges may differ, but the aim remains the same: A secure, more profitable software application environment. Ready to learn more? Download the white paper here.