This is the final segment of our interview series featuring Josh Corman at SOURCE Boston 2012. In this video Josh discusses the hierarchy of AppSec within organizations and the roles of legislation and third party security. The video and a brief overview of Josh’s responses are below. Part one of the interview was released on Monday and can be seen here. Part two of the interview was released on Wednesday and can be seen here.
Does AppSec need to grow out of a development organization?
Josh talks about the roles the different tiers of an organization have in AppSec. He emphasizes that top down mandates on AppSec are vital in prioritizing security during the development process. He believes that the solution to ensuring secure code does not lie solely with the engineer, it also depends on how the functional specification is set out. Josh speaks about how the roles of the CIO and the CTO can drive and reward good AppSec practices. He states that developers will solve problems if given the correct requirements.
Legislation & Third Party Security
In this segment Josh talks about the "multi-step lag" in information security, with adversaries being ahead of researchers, researchers ahead of product delivery, product delivery ahead of customers, and customers ahead of legislation. He talks about the constantly changing threat landscape in AppSec and how legislation struggles to keep up. He outlines that legislation is either too vague to be effective or too specific to last and be adaptable to changes. He suggests that companies publicly outline the steps they take to ensure the security of customers. Josh states that customers who care about security will be willing to pay more to companies which have better security measures in place.