Since organizations started opening their internal applications to the Web, a little more than a decade ago, it became clear that the security of those connected applications would be more complex – and critical to get right – than before.
Unfortunately, through complacency, perhaps a feeling that their particular business wouldn’t be a target, or the rush to simply get applications deployed and into production – many businesses never made web application security a priority. And many that want to don’t always know where to get started, or how to keep an application security program in place once initiated.
A new survey of 170 IT professionals on the state of their enterprises’ secure software code delivery and lifecycle management procedures found that while 74 percent of respondents have a level of secure development processes in place, 59 percent do not rigorously follow key security and quality processes. The report, the State of Secure Application Lifecycle Management, was done by research firm Creative Intellect Consulting in association with (ISC)2 and the International Association of Software Architects (IASA).
“Most large companies are doing something, as are the industry sectors you’d assume would take software security seriously such is software vendors, financial firms, and government organizations,” Chris Wysopal, founder and CTO of Veracode, said. “In many business, however, the processes are still ad hoc. They don’t have a programmatic application security program in place.”
While ad hoc application security programs are arguably better than no action at all, most experts agree that any increase in security is limited to only that application, and for only as long as the application doesn’t change. To make a real, sustained impact, businesses need to put into place a systematic application security program. That entails taking an inventory of applications, ranking them by business criticality, and then applying secure-development and quality-control process to those applications.
“That’s a big challenge,” says Wysopal.
Challenging sure, but also attainable and essential for organizations to reach an acceptable state of security today. So where should an organization get started? Surprisingly, to many, the process doesn’t necessarily start with technology or process but politics.
“For a successful program, it’s essential that you get high level executive sponsorship,” says Caleb Sima, CEO at web application security firm Armorize.
“You have to get someone at that CIO or CSO level to say, ‘I understand that application risk is a significant risk to the organization. I think we need to go organization-wide,'” adds Wysopal.
Getting that executive buy-in for an application security program may require a catalyst, or some type of application-security win. That catalyst could be a partner who is requesting information on the firm’s secure development process, or – in a worst case – an application is hacked and needs to be hardened.
“Many times there will be a critical application, such as a company’s main website, that will get exploited or attacked and it will be on everyone’s radar,” says Wysopal. “They’ll listen and invest in tools and application security training. And once you have success there, you then have to translate that throughout the organization.”
Another catalyst could be regulatory demands.
“One of the things we recommend to help get application security adoption is to position the program as something that must be done. The channel there could be regulatory compliance, such as PCI DSS,” says Vincent Liu, managing partner at security consultancy Stach & Liu, LLC. “Regulations, and partners or customers, that demand secure applications be in place are very often what will catch the attention of business leaders,” says Liu.
With the attention, and hopefully the backing, of executives or business managers, it’ll be easier to secure the funding needed for the right tools, services, and secure application development training. That then leaves you with the not-so trivial task of putting an application security program in place.