There are a lot of reasons for software companies to not implement security as part of their SDLC or take it to another level and implement an overall security program. A lot of software developers are just not aware of the problem, and if they are, there managers are not. Sometimes the developers and managers are aware but the decision makers want the product out of the door yesterday and security being one of the nice-to-haves slips out of the door.
Sometimes I feel that the ambiguity the whole software security brings might be a cause. Companies want to do the right thing but it is just too much. Static code analysis, security code reviews, pen testing, forensics, controls…etc.
If you are starting from the first level already exhausted even the second level seems too far.
By the way, if you are a developer trying to convince your manager or a manager trying to convince the decision makers, this will help you a great deal.
Now, let me give you more reasons to take that first step towards a security program.
You don’t want to get sued: In October 2009, a bank got sued because they didn’t implement multi-factor authentication. Not for not implementing authentication, not for having a bug in their authentication system. But for not having a multi-factor authentication.
This story changed the way I look at things. Internet users are more aware of the dangerous web, and now they can do something about it. Are you ready?
Security architecture reviews will add another perspective to your design. From 10,000 ft altitude, security flaws at the end of the day are software flaws, you will have to fix them, and usually they are the most rushed, incomplete and annoying to your customers. Having security architecture\design review meetings at the beginning of your project can add a new and fresh perspective to your overall architecture. Regular design\architecture meetings will result in a fast, reliable, scalable architecture. Maybe user-friendly, easy-to-use as well, but this is not all what can cause bugs or flaws. Absence of security can also add flaws. Data breaches costs up to 200$ per customer record and the whole hack could cost up to a scary 8 figure number.
Security architecture reviews can avoid that.
You can use application security program as an employee retention tool. The most brilliant, smart and efficient programmers are never on the job market. There number one motivation is not salary, not a nice a team and not a foosball table. There number one motivation is an environment where they do great programming they are proud of. Every brilliant programmer I have seen takes a lot of pride in their work. Adding an application security program would allow your developers to get that feeling.
Did I say you should implement a security program to avoid being sued? Attackers might not be interested in your customer data in particular, they might be interested in just using your infrastructure to distribute malware or even more.
What is your reason for implementing an application security program or NOT implementing for what it is worth?
I totally agree with this.
Unfortunately a lot of people are short sighted on this aspect of software development. They only realize the problem when the fail, and fail hard.
What would you say the #1 reason for being short-sighted on implementing an app security program?
I would say that there are two, which actually boils down to one reason.
Time and Money. The cost of software development and security analysis is pretty daunting. There is a lot of up front costs which from the surface has not a lot of return on investment. Besides analysis, development there’s also testing, maintenance and management aspects that have to be dealt with when adding any component. Your reasons within the blog post give some ammunition as to why this is the wrong approach. Fortunately people still tend to be reactive rather than pro-active in this aspect.
Sherif,
How many people do you know who are proactive and get excited about buying a private disability insurance policy? Not a life insurance policy … we all know eventually we will die … but a disability insurance policy … one that kicks in only if you are unlucky enough to become disabled and allowed to live.
Due to my hyperconservatism, I bought my first disability insurance policy in 1991 at the age of 25. It was so unbelievably cheap because I was in stellar health and I was so young. The premiums are cheap FOR LIFE.
What does this have to do with application security? Most people think of application security problems as something that happens to others, not to them. Sure, they could start an application security program INEXPENSIVELY from when they first start building out their IT department (like buying disability insurance at 25) but most people don’t see a need.
The vast majority of people in their 40s and 50s also don’t have a private disability insurance policy … they still think they’re immune from living in a disabled state. Don’t you know that these are the same managers that reject application security programs?
Perhaps publicly, perhaps privately … they simply don’t agree with or want to acknowledge the risk. And many times they don’t want to acknowledge the inevitable public display of their ignorance of the topic of application security to their peers.
So what about the situation when it’s obvious that an application security program needs to be built into an existing organization? Well, at that point, it can be a more costly proposition … and that is often used to mask the reasons I give above.
If only organizations could start out smart with regard to application security (e.g. mandate application security be part of college curriculums for CompSci or MIS majors) we could make major inroads.
But, alas, the professors are mostly so far removed from commercial business that they themselves are not application-security-savvy … and are not willing to learn or acknowledge their ignorance … so the cycle repeats!
Erik
Erik,
You are absolutely right.That’s a very real analysis behind the avoidance of the whole matter. I wondered in a previous post whether the different aspects of a security program makes it more confusing to software companies. But you summed it up: “Most people think of application security problems as something that happens to others, not to them. ”
Thanks for your comment.
[...] obstacle towards companies realizing the importance of software security and it threw me back to Erik Klien’s comment last week where I was trying to give software companies more reasons to implement an application [...]