The State of Application Security

If you haven’t seen it, there’s a new study out from Ponemon Institute and application security consulting company Security Innovation on The State of Application Security.  For the study, Ponemon sent surveys to 642 executive and engineering professionals at both large and small organizations.  When Ponemon analyzed the survey responses, they came up with some interesting conclusions.

The primary conclusion?

That “…a much higher percentage of executive-level respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes.”

Secure architecture standards: How big is the gap?

Depending on the specific question asked, a lot. When asked about the existence defined secure architecture standards:

  • 75% of executives thought those were in place
  • While only 23% of technicians agreed with them

That’s a pretty big gap (52%).

A similar gap existed in response to questions about whether or not education and training programs were updated to keep development teams apprised of the latest threats, security policies, and best practices. Here:

  • 71% of executives agreed or strongly agreed
  • While only 19% of the technicians did

Once again, that’s a 52% difference.

While this is only one survey, as a 20+ year veteran of IT and IT security, I can’t say that the results are surprising. And it’s not because executives are “IT security ostriches” with their heads in the sand (though everyone’s probably encountered a few high level executives that seemed to have tripped up the success ladder by accident rather than merit.) But instead, the vast majority of execs are in the positions they are because they’re astute and not easily lulled into complacency. So why is there this disconnect?

 

Top 3 reasons executives are blind to app security problems

There are many reasons for the big gap between perception of executives and day-to-day reality of developers and technicians – here, in reverse order, are my picks for top 3 — and some ideas on how we can bridge the perception gap.

3. They’re busy with their day jobs

Average workdays are 10-12 hours long and most of us carry around long to-do lists punctuated by daily “fire drill” demands. In IT, we often gripe about how execs just “don’t get it”- but when was the last time you sat down with your CEO or CIO to get a handle on their problems?

Keep things short and to the point:

  • As CEO once said to me “Just show me the answer – you darned well better be able to show me all the math that got you there too. But start with the answer and I’ll tell you if I need to see the rest.”
  • If you’re the wordy type, get someone laconic to go over your documents and presentations – cut to the bone and get to the point
  • If you’re nervous about cutting too much, don’t forget there’s no limit on “Backup Slides” and Appendices

2. Reality is getting glossed over

No one likes a whiner, but pretending things are better than they really are isn’t the way to go either. Think about the last time you got bad news that was delivered effectively. Chances are the person delivering the message gave it to you straight and explained the impacts and consequences upfront.

Don’t sugar coat:

  • Review your presentations for words like maybe and could and replace them with harder ones
  • If drawing a definite line in the sand is overreaching, look for supporting data points and statistics that drive the message home
  • Instead of “there’s a chance this could lead to” try “our competition was attacked last week using the same exploit” or “we did the analysis and our research shows there’s a 00% chance this attack will be exploited”

1. We’re speaking to them “in dolphin”

Clear communication is an art  — and not one that everyone is skilled at; especially a lot of us in IT who are more comfortable with bits and bytes than biz-speak. Executives don’t want to hear about the latest web ‘sploits but they do want to hear about potential compliance violations and business impact.

Before making a presentation to higher ups make sure you know the answer to some key questions.

  • What’s the potential business impact of the problem?
  • Will it result in a compliance violation?
  • How easily can it be exploited?
  • Are there other controls in place to prevent/mitigate the exploit?
  • What’s the cost to the company if deployment is delayed or the application is taken off line?
  • How long will it take to fix the problem and how much will it cost?

 Explain the problem in business terms:

  • Instead of saying the new Ruby on Rails apps is vulnerable to CVE-2012-5664 SQLi – try our new customer facing app will expose private data if we don’t fix it before deployment

 

Bridging the Security Awareness Gap

While it’s easy to retreat back into the mindset of “execs just don’t get it” – especially when looking at numbers like the ones from Ponemon’s most recent survey – don’t forget that bridging the awareness gap is possible. If you’re a technician or tester in the trenches, take a few moments to think about what the executives in your company have heard about application security testing and if they, like the execs in the Ponemon study, are disconnected from reality. Then think about what you can do, using some of the ideas presented above, to re-connect the reality dots.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today