How do I convince management to take security seriously? I keep getting negged with time and money constraints. Even serious source code analysis is getting thrown under the rug. Since I can't find exact $$ I'm ignored. Casually pointing out the daily body count of huge, important, hacked sites isn't helping.
Requires Free Membership to View
When you register, you'll receive targeted emails designed to keep you informed of the most relevant information on Agile development, application security, testing & QA, software requirements, and more.
Hannah Smalltree, Editorial Director
One technique that often works is to look at what your company's peers are doing. A lot of security spending is reactive and companies end up putting in security processes and technology after a successful attack. You obviously want to be proactive and not wait for this to happen so the next best thing to convince management is by showing them what peers are doing to implement application security. See if you can join a local or industry group and talk to your peers. You could also ask the providers of the technology or services you are interested in for customers that are similar to you and ask if you can call them up for a reference. If you are a large retailer you could talk to TJX. If you are a supermarket, you could talk to Hannaford. If you are a small software company there are plenty of vulnerable peers to choose from.
This was first published in December 2008