Answer

Selling security: Get management to help fix software vulnerabilities

I think there are security flaws in my test and development environment. How do I convince the executives to invest time and money into fixing these software vulnerabilities?

    Requires Free Membership to View

Kevin Beaver

Getting management on board with security, especially in environments where the return on any investments is even grayer than it is in production, can be tricky at best. What security flaws are present? How can they be exploited? What does that mean to the business? Those are the basic questions you have to answer and communicate effectively to management before you're going to make any headway securing your test and development environment.

Based on what I see in my work, this is a fairly widespread problem. Many test and development environments are rife with outdated software running on unhardened systems. But that's not all; there's often sensitive personal information -- credit card numbers -- and intellectual property -- source code -- that's being exposed to practically anyone on the network.

Building your credibility with management is the best thing you can do to address this challenge.

Deciding on whether or not to harden your test and development systems needs to be based on what level of risk management is willing to accept. I ask my clients if they want to include their test and development environment in my internal vulnerability assessments. The findings obtained when testing these unprotected systems can often skew the overall results. That said, just because software vulnerabilities exist in a fluid environment doesn't mean they shouldn't be counted. The security risks are still there.

Consider the following:

  • Just how vulnerable are your test and development systems?
  • Are you using production data in testing/development?
  • If you place your test and development systems under the umbrella of your production security controls (in other words, patch management, event logging and monitoring, security hardening standards and so on), how much of a burden will that create on: 1) IT management, 2) security and compliance, 3) test and development?

These questions can be answered if, and only if, the right people are speaking to one another.

Beyond this, building your credibility with management is the best thing you can do to address this challenge. Work hard on yourself and you can make tremendous strides in selling security.

This was first published in February 2014

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest