This year's primary finding is that a much higher percentage of executive respondents believe their organizations are adhering to security procedures throughout the application development lifecycle than do the security staff and engineers who are closest to executing the actual security processes. This is a serious and dangerous misalignment for any organization. Another troubling (albeit not shocking) conclusion is that the majority of organizations are doing the bare minimum as it pertains to addressing application security throughout their development process.
According to Ed Adams, one of the more mind-boggling findings from the report is that 57% of organizations still do not have a basic SDLC in place (we're not even talking about secure development lifecycle, just a basic run of the mill software dev model). He went on to discuss that it is "alarming that most organizations are not testing (or investing in) for application security especially given that the application layer is at greater risk as more new threats are targeting specifically the application layer." The disconnect, between executive management and the "on the ground" security and development staff, only exacerbates the situation. Having IT executives espousing to other executives that all is peachy even when it's not leads to a false sense of security that will undoubtedly be shattered.
From Ponemon's perspective, his big concern for security professionals should be addressing the disconnect gap. Clearly there is extensive filtering of information as it moves up the chain from rank and file. Often people are afraid to be the bearer of bad news and are afraid to tell their superiors the truth. He predicts the gap will worsen as "more and more disruptive technology is introduced into organizations, each bringing additional complexities. BYOD, new development languages, platforms (iOS and Android) each have their own security challenges."
Both Ponemon and Adams agree that organizations are simply not doing enough in terms of updating their internal security training for developers. The root cause is that the vast majority of colleges and training grounds for developers do not teach secure coding, thus pushing the burden on to organizations. Until secure development methodologies and coding is taught to young developers whilst attending school, we will not see major improvement in this area.
Unless you're a pyromaniac like the Roman emperor Nero, how can you as best fix this situation without watching your surroundings burn to the ground? A sad fact, but indicative of human nature, is that most of us are not compelled to change until some massive data breach or severe incident occurs. Unfortunately, negative events tend to be the major driver behind change (you didn't stop eating those breakfast burritos until after you had a heart attack). This doesn't mean that you should sit by idly and twiddle your thumbs, waiting for impending doom. Adams explained to me that there are three critical elements of high performing organizations (as it pertains to application security) that organizations should begin emulating:
- Define development standards and hold people accountable
- Continuous development training (both from a technology and role specific perspective)
- Define how to measure and assess success
Developers are creative people who do not like to be boxed in by rigid structure. So instead of approaching the developers with a "do this and not that" mindset, engage developers' inquisitive side. Avoid forcing a security culture on them; instead, try meshing their culture with the hacker mindset. When developers can see how application vulnerabilities can be exploited and to what degree, they will be much more compelled to adopt secure coding practices compared to you handing them a tip sheet for how to code SQL securely.
The final takeaway is for security pros to up the ante when it comes to ensuring that application security is included in the next budget. Many IT executives only pencil in perimeter protection threats-it has been such a staple of security spending for so long that a disproportionate amount of security spend goes towards it while application level security gets short shrift. The prevailing thought among many executives is that $1 dollar spent on anything security is good (it is incumbent on IT security teams to better educate their executives on how to better spend security's limited dollars based on priority and threats). Detailing ROI metrics (which every business exec loves) can be difficult, but the key is to ensure that that a holistic approach is embraced.
I'd like to thank both Dr. Larry Ponemon and Ed Adams for their insight and taking the time to discuss their findings. The report is well worth the read for any IT professional (especially those with security or application development roles). This is one security gap that we must bridge.
Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.