The State of Application Security
If you haven’t seen it, there’s a new study out from Ponemon Institute and application security consulting company Security Innovation on The State of Application Security. For the study, Ponemon sent surveys to 642 executive and engineering professionals at both large and small organizations. When Ponemon analyzed the survey responses, they came up with some interesting conclusions.
The primary conclusion?
That “…a much higher percentage of executive-level respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes.”
Secure architecture standards: How big is the gap?
Depending on the specific question asked, a lot. When asked about the existence defined secure architecture standards:
- 75% of executives thought those were in place
- While only 23% of technicians agreed with them
That’s a pretty big gap (52%).
A similar gap existed in response to questions about whether or not education and training programs were updated to keep development teams apprised of the latest threats, security policies, and best practices. Here:
- 71% of executives agreed or strongly agreed
- While only 19% of the technicians did
Once again, that’s a 52% difference.
While this is only one survey, as a 20+ year veteran of IT and IT security, I can’t say that the results are surprising. And it’s not because executives are “IT security ostriches” with their heads in the sand (though everyone’s probably encountered a few high level executives that seemed to have tripped up the success ladder by accident rather than merit.) But instead, the vast majority of execs are in the positions they are because they’re astute and not easily lulled into complacency. So why is there this disconnect?
Top 3 reasons executives are blind to app security problems
There are many reasons for the big gap between perception of executives and day-to-day reality of developers and technicians – here, in reverse order, are my picks for top 3 — and some ideas on how we can bridge the perception gap.
3. They’re busy with their day jobs
Average workdays are 10-12 hours long and most of us carry around long to-do lists punctuated by daily “fire drill” demands. In IT, we often gripe about how execs just “don’t get it”- but when was the last time you sat down with your CEO or CIO to get a handle on their problems?
Keep things short and to the point:
- As CEO once said to me “Just show me the answer – you darned well better be able to show me all the math that got you there too. But start with the answer and I’ll tell you if I need to see the rest.”
- If you’re the wordy type, get someone laconic to go over your documents and presentations – cut to the bone and get to the point
- If you’re nervous about cutting too much, don’t forget there’s no limit on “Backup Slides” and Appendices
2. Reality is getting glossed over
No one likes a whiner, but pretending things are better than they really are isn’t the way to go either. Think about the last time you got bad news that was delivered effectively. Chances are the person delivering the message gave it to you straight and explained the impacts and consequences upfront.
Don’t sugar coat:
- Review your presentations for words like maybe and could and replace them with harder ones
- If drawing a definite line in the sand is overreaching, look for supporting data points and statistics that drive the message home
- Instead of “there’s a chance this could lead to” try “our competition was attacked last week using the same exploit” or “we did the analysis and our research shows there’s a 00% chance this attack will be exploited”
1. We’re speaking to them “in dolphin”
Clear communication is an art — and not one that everyone is skilled at; especially a lot of us in IT who are more comfortable with bits and bytes than biz-speak. Executives don’t want to hear about the latest web ‘sploits but they do want to hear about potential compliance violations and business impact.
Before making a presentation to higher ups make sure you know the answer to some key questions.
- What’s the potential business impact of the problem?
- Will it result in a compliance violation?
- How easily can it be exploited?
- Are there other controls in place to prevent/mitigate the exploit?
- What’s the cost to the company if deployment is delayed or the application is taken off line?
- How long will it take to fix the problem and how much will it cost?
Explain the problem in business terms:
- Instead of saying the new Ruby on Rails apps is vulnerable to CVE-2012-5664 SQLi – try our new customer facing app will expose private data if we don’t fix it before deployment
Bridging the Security Awareness Gap
While it’s easy to retreat back into the mindset of “execs just don’t get it” – especially when looking at numbers like the ones from Ponemon’s most recent survey – don’t forget that bridging the awareness gap is possible. If you’re a technician or tester in the trenches, take a few moments to think about what the executives in your company have heard about application security testing and if they, like the execs in the Ponemon study, are disconnected from reality. Then think about what you can do, using some of the ideas presented above, to re-connect the reality dots.
Executive Security Advisor, IBM Security