To say we at Veracode talk about the proliferation of applications and the dire need to secure these apps a lot would be a massive understatement. Securing the software that runs today's businesses, and frankly our lives, is our passion.
We are so immersed in the concept of ensuring the world's software is secure, that we often forget this isn't the main topic of conversation at other enterprises. As a result, we are sometimes shocked to discover a security team isn't creating an application security program or maturing their current program to reduce risk at their enterprise. Yet, it shouldn't be shocking, because it isn't uncommon for us to be told the enterprise we are talking to just isn't concerned about application security right now.
"What? How could this be?" we at Veracode collectively wonder. Application security issues are plaguing enterprises in every industry, and causing some of the most high-profile breaches! And as Sara Peters of Dark Reading said, "security all comes back to code."
It isn't that they aren't concerned about application security – they are – it is that priorities are focused elsewhere. It reminds me of college and high school when a classmate would get frustrated with a class. Inevitably, he or she would say something like "why do I have to take this class, I'll never have to use it." This used to drive me crazy – you have to take the class because it is part of the requirements. Plus it makes you a well-rounded person to learn about topics outside your future vocation. But then I realized this sentiment was actually born out of frustration rather than narrowed interests. These classmates were having trouble in the class and didn't feel the frustration was necessary because the coursework wasn't related to one of their priorities in life.
Application security is similar to that. I think a lot of companies are aware software can have vulnerabilities. However, security teams have other initiatives vying for their dollars and time, and right now application security just isn't a priority. "Besides," these teams think, "what are the odds we'll be breached through the application-layer anyway?" This sentiment is the equivalent of "I'll never use this in real life." But, according to Forrester, the answer to "what are the chances?" is "pretty good." Forrester predicts that in 2015 "at least 60 percent of organizations will suffer a security breach." The U.S. Department of Homeland Security (DHS) research found that 90 percent of security incidents result from exploits against defects in software. Perhaps security professionals need to rethink their "I'm never going to have to use this" argument.
As the biennial Global Information Security Workforce Study published by the International Information Systems Security Certification Consortium (ISC)2 showed, application vulnerabilities continue to top security professionals' list of worries, but aren't a major concern. What this tells me is security professionals aren't able to demonstrate the value application security can have for the enterprise – and I don't mean just breach avoidance. Instead of reminding CISOs and security professionals that application security is important, we should help them demonstrate to their colleagues and superiors (aka the board and the CEO) that application security can actually fuel innovation and provide cost savings. Maybe then application security will become a priority and we will stop hearing the "I'm never going to use this" argument.