From the smallest of cloud service provider startups with no security maturity to the largest of corporations with well-established information security programs, financial and political support for security is often fleeting at best.
Why is this? Year after year, we not only see application security-related breaches in the headlines, but the challenges are underscored by numerous studies. Application security is a problem that needs attention.
Any reasonable person would think that the negative consequences associated with not properly supporting security over the long-term just aren’t worth it. Well, it’s not that simple. There are some core human communication and belief issues at play here that are at the root of why getting management support for security can be difficult.
We can look at many areas of society and see similar challenges. Certain automobiles have poor safety ratings, yet people still drive them. We know the solution to type 2 diabetes, yet it’s as great a problem as ever. Bring political correctness into the discussion on many of society’s issues and nothing gets resolved.
<< Read more: 7 Reasons Why You Need an AppSec Champion on Your Side >>
Application security is no different. In many cases, either people see what they want to see or, worse, they don’t want to hear about it if it does not impact them directly. Ignorance is bliss.
If you’re going to obtain – and, just as importantly, keep – the necessary support for your ongoing application security initiatives, there are several key things people in IT, security, and software development keep doing wrong:
It’s these things that I’m witnessing time and again that keeps that wedge driven between management and application security. The simple solution: stop doing these things! Instead, focus on how you can build yourself and your program up in all of these areas and do it over and over again indefinitely.
Dr. Phil McGraw once said, “If I’m going to sell Bill what Bill buys I’d better see things through Bill’s eyes.” Management needs to be able to assess what you’re proposing (or struggling with) related to application security and understand how it fits in with their goals.
Remember, it’s not all about you. Nor is it just about IT, security, or software development. You have to frame everything you discuss in terms that management will not only understand but that they can buy into for the greater good of the business.
Why isn’t secure application development a standard in all organizations? The main reason? Because we’re human – and humans make mistakes. Developers, testers, security experts alike – we can all stand to do more towards helping improve security in our respective organizations. One of the best ways to improve is to learn from our mistakes. Learn more by reading “Secure Application Development: Avoiding 5 Common Mistakes ”
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.