Imagine this scenario; your brother tells you he is very concerned about the fact the brakes on his car haven’t been working right lately – but he just doesn’t have time to get to the mechanic. It is important he gets to work quickly, and putting his car in the shop will slow him down.
What would you say? You’d probably offer to let him borrow your car – right after you slap him upside the head. That line of reasoning doesn’t make any sense, yet it is the same reasoning many companies are using for foregoing implementing a secure development process.
According to the biennial Global Information Security Workforce Study published by the International Information Systems Security Certification Consortium (ISC)2, application vulnerabilities continue to top security professionals' list of worries. However, the concerns have not translated into adopting secure development practices. Why? Because of the tension between getting software developed quickly and taking time to assess for vulnerabilities.
Some of the findings from the report include:
- Only 24 percent of security practitioners say their companies always scan for bugs during the code development process, with another 46 percent sometimes searching for bugs during development
- Scanning for application vulnerabilities, either through static analysis or dynamic testing, is a primary way to find application vulnerabilities, but 30 percent of companies never scanned for vulnerabilities during code development
- 58 percent of companies scanned all their applications following a security incident, compared with 24 percent that scanned applications consistently during code development
For years it was assumed that the reason enterprises didn’t create secure development processes was due to lack of awareness in the security community– but this study suggests otherwise. David Shearer, executive director of (ISC)2 attributes this lack of action around application security to “the tension between getting software developed quickly and taking the time to securely design the product and eliminate possible security bugs,” and states that “ most companies will continue to use application scanning only after software is put into production or following a breach.”
The gap between CISOs’ concerns and corporate practices underscores the need for education around the value of secure development practices. One such bullet point is that finding and fixing flaws during the development phase is much less expensive than doing so once the application is live.
What CISOs need is a way to demonstrate that application security won’t slow down the development process, and can in fact create more innovation. I know that obtaining budget and fostering an understanding of the importance of application security can be difficult.
The Gartner Research report “8 Practical Tips to Link Risk and Security to Corporate Performance” can help CISOs you develop an argument for why security programs – especially application security programs – don’t slow down innovation, they improve corporate performance. You can read the full report here: https://info.veracode.com/analyst-report-gartner-8-practical-tips.html