What's ailing enterprise software security management?

What's ailing enterprise software security management?

What's ailing enterprise software security management?

Date: Mar 08, 2013

What are the pain points in enterprise software security management? It's not technology; it's people. Enterprise application security is complicated by the number of business units involved, most of which have insufficient incentive to join requirements and ongoing vulnerability efforts. Scaling application security calls for an enterprise-wide vulnerability management strategy, a means for disparate teams to collaborate on security, according to Dan Cornell and John Dickson, both principals at the San Antonio-based consultancy Denim Group.

"The security group has one reporting line, and then there are multiple groups with other reporting pipelines," said Cornell, who is also the resident software security expert on SearchSoftwareQuality.com. "There are so many people you have to get on board, and many of them are not getting bonuses in this area. Security and vulnerability management is adjunct and remote to what they're doing."

Conflicts come up even before business units are brought into the security process, said Dickson. "The security group has been in charge, but the people who can effect change are in the software group," he said. Yet even at this level, where the need for collaboration is obvious, getting the security side to collaborate can be challenging. "It's a harsh reality when scaling development," he said. 

If there's a barrier between two groups or people, look to others to collaborate. Sometimes the choice should be made on personality, so tap into app security evangelists in software, IT and business units for first efforts at a cohesive security program. "Once one or two groups start to show success with collaboration, others get the message," said Dickson. For security architects and managers, as well as CIOs and CEOs, "convincing the units to work together is a sales job."

More on Internet Application Security

  • canderson

    An introduction to Web application threat modeling

    VIDEO - Video: VerSprite's Tony UcedaVelez explains how Web application threat modeling assesses Web risk and how it differs from penetration testing.
  • canderson

    Jason Huggins demos software testing improvements at STPCon 2011

    VIDEO - Watch this STPCon 2011 video of Jason Huggins of Selenium and Sauce Labs, in which he gives some information about his conference demonstration. He relates software testing improvement ideas to his handmade robot that can play Angry Birds on an iPhone.
  • Software security testing: Where to start

    Answer - For those of us new to software security testing, it can be an intimidating field of study. Where do the veterans suggest we begin?
  • Testing techniques for data exchanges and interoperability

    Tip - Testing data exchanges involves the ability to view, track and verify messages, among other things. Here are techniques for testing data exchanges.
  • software attack surface

    Definition - The software attack surface is the complete profile of all functions in any code running in a given system that are available to an unauthenticated user. The more surface there is, the better the chance an attacker or a piece of malware can use various exploits to gain access and run code on the target machine.
  • cryptography

    Definition - Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it. The term is most often associated with scrambling plaintext (ordinary text, sometimes referred to as cleartext) into ciphertext (a process called encryption), then back again (known as decryption).
  • social login

    Definition - Social login is a single sign-on (SSO) that allows users to authenticate themselves on various applications and sites by connecting through a social networking site rather than typing a separate ID and password on each website. The sites most commonly associated with social login are Facebook, LinkedIn, Google and Twitter.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: