- The cost of breaches due to poorly designed applications is reaching a tipping point that will force enterprises to re-evaluate their development priorities.
- The need for greater collaboration between development and security groups as well as better education and training in secure code development has never been greater.
The IT industry is getting to a point in the evolution of cybercrime where it will have to truly pay more attention to secure applications development. Right now developers are not properly trained or incented to create secure applications – they are incented to write more code that addresses specific business functions. Enterprises do not pay enough attention to how well systems and applications can stand up to malware, and that inattention has come back to haunt them. The reliance on bolt-on security—security that is largely an afterthought to the full lifecycle of enterprise applications—is the norm. And the constant search for vulnerabilities, notification of such vulnerabilities, patching and so on is costly, complex and error prone. Two of the largest breaches reported in 2011—the Sony and RSA breaches—were the result of unpatched software. (It should be noted that the RSA breach cost the company $66 million, and one estimate on Sony’s damage went as high as $1.25 billion.) It should be broadly understood at this point in time that it is much more expensive to remediate vulnerabilities after applications are released into production than it is to fix those issues during the design phase.
Ironically, software developers are aware of the problem, but security professionals don’t have the same level of awareness. A recent Ponemon Institute study uncovered a serious disconnect between the two groups when it comes to their view of security of their applications. It showed that half of security professionals surveyed believed that adequate security controls within their applications are in place, while seven in ten developers view security as lacking in their applications. At the same time, 80% of those developers surveyed said there is no process for building security controls into their applications, while 64% of security personnel expressed the same view.
The study uncovered a need for much greater collaboration between the development and security teams, but there is also a need for greater training and education in the development of secure applications. The Open Web Application Security Project provides guidance through its Comprehensive, Lightweight Application Security Process (CLASP) project, and commercially available tools that aid in the secure applications development process are available from vendors such as HP through its Fortify acquisition and IBM’s through its Rational/Appscan products.
We are quickly approaching a tipping point where the all too common view that losses due to breaches are a cost of doing business will have to give way to a more integrative way of thinking. Although the most recent Verizon Data Breach Report concludes that breaches do not have “a major, long term impact on stock value,” it also noted that at least four data breach victims were no longer in business because of those breaches. The enterprise emphasis on rapid applications development needs to shift to emphasize secure applications development. Perhaps the relatively new Rugged Software movement (http:// www.ruggedsoftware.org/ ) will help move the industry in that direction.
(For a more thorough discussion of the issue and how to address it, see: http://www.csoonline.com/article/621496/software-security-basics-for-application-development-managers?page=1 )