Imagine this scenario: Your brother tells you he is very concerned because the brakes on his car haven't been working right lately – but he just doesn't have time to get to the mechanic. It is important he gets to work quickly, and putting his car in the shop will slow him down.
What would you say? You'd probably offer to let him borrow your car – right after you slap him upside the head. That line of reasoning doesn't make any sense, yet it is the same reasoning many companies are using for forgoing implementing a secure development process.
According to the biennial Global Information Security Workforce Study published by the International Information Systems Security Certification Consortium (ISC)2, application vulnerabilities continue to top security professionals' list of worries. However, the concerns have not translated into adopting secure development practices. Why? Because of the tension between getting software developed quickly and taking time to assess for vulnerabilities.
Some of the findings from the report include:
For years, it was assumed that the reason enterprises didn't create secure development processes was due to lack of awareness in the security community, but this study suggests otherwise. David Shearer, executive director of (ISC)2, attributes this lack of action around application security to "the tension between getting software developed quickly and taking the time to securely design the product and eliminate possible security bugs," and states that " most companies will continue to use application scanning only after software is put into production or following a breach."
The gap between CISOs' concerns and corporate practices underscores the need for education around the value of secure development practices. One such bullet point is that finding and fixing flaws during the development phase is much less expensive than doing so once the application is live.
What CISOs need is a way to demonstrate that application security won't slow down the development process, and can in fact create more innovation. I know that obtaining budget and fostering an understanding of the importance of application security can be difficult.
The Gartner Research report "8 Practical Tips to Link Risk and Security to Corporate Performance" can help CISOs develop an argument for why security programs – especially application security programs – don't slow down innovation, but in fact improve corporate performance. You can read the full report here: https://info.veracode.com/analyst-report-gartner-8-practical-tips.html