Protecting enterprise data and assets is a daunting task. According to IT industry organization ISACA, 82 percent of respondents to an April 2015 survey indicated that their enterprise is now "likely" or "very likely" to be attacked — only 1 percent said it's "not at all likely." Meanwhile, the average annual loss to companies worldwide as a result of cybercrime has reached more than $7.7 million.
With the typical company now relying on somewhere in the neighborhood of 3,000 applications, the risk and challenges of application security are growing exponentially. Although it's important for various departments and groups to play a role in cybersecurity, the sun around which all the enterprise planets orbit is the development team. If this group isn’t involved and engaged — as well as in sync with the CSO and CISO — the sophisticated systems, tools and technologies used by an organization are essentially useless.
Here are three ways — along with three reasons why — your development team should be tied into application security:
the need for a formal developer education program has gone from important to imperative
As software development has evolved into a collaborative task — in many cases involving dozens or hundreds of developers and numerous hand-offs — the need for a formal developer education program has gone from important to imperative. Developers must understand security vulnerabilities, potential threats and best practices in secure coding, and also be aware of security trends and current risks. This is no small matter: A study conducted by Veracode found that organizations that haven't established any type of eLearning program fixed just 58 percent of their discovered vulnerabilities. By contrast, those with an eLearning program in place corrected 75 percent of their vulnerabilities. This nearly one-third improvement translates into a huge difference in risk and potential costs to the organization.
Remarkably, about 63 percent of internally-developed applications undergo no testing for critical security vulnerabilities. Perhaps the most common reason is a lack of governance and standards within the enterprise. The problem is exacerbated by the growing consumerization of IT and software — groups such as finance, marketing, HR and operations may develop software, plug in third-party packages, and use APIs and open source coding. The solution? A strong governance model that clearly defines tasks and dictates practices and procedures. Without formal oversight, there's no way to code consistently and safely. In the end, desired practices and processes break down, making enterprises vulnerable to cyber threats.
Unfortunately, the byproduct of poor communication is anxiety, mistrust and misunderstandings. A Project Management Institute study found that an astounding 56 percent of unsuccessful projects fail to meet their goals due to ineffective communication.
56 percent of unsuccessful projects fail to meet their goals due to ineffective communication
As a result, it's essential to establish a task force and teams to break down silos and ensure that developers meet the needs of their different constituencies. Moreover, enterprises must use tools and technologies that facilitate communication and collaboration among development teams and other key teams. Ultimately, an organization needs a communications framework that touches the C-suite and the board of directors, but also reaches other key groups in the enterprise — including the legal team, contract management specialists and internal marketing staff — that keep everyone informed through social business systems, an intranet, videos, e-mail and other methods.
Not surprisingly, when an enterprise achieves a high level of buy-in and builds out a robust framework to support application security, it's possible to address overall security requirements far more effectively. Although it's impossible to eliminate all vulnerabilities and risks, a focus on these three key areas helps turn cybersecurity from a haphazard, chaotic activity to a best-practices model.