What's ailing enterprise software security management?

What's ailing enterprise software security management?

What's ailing enterprise software security management?

Date: Mar 08, 2013

What are the pain points in enterprise software security management? It's not technology; it's people. Enterprise application security is complicated by the number of business units involved, most of which have insufficient incentive to join requirements and ongoing vulnerability efforts. Scaling application security calls for an enterprise-wide vulnerability management strategy, a means for disparate teams to collaborate on security, according to Dan Cornell and John Dickson, both principals at the San Antonio-based consultancy Denim Group.

"The security group has one reporting line, and then there are multiple groups with other reporting pipelines," said Cornell, who is also the resident software security expert on SearchSoftwareQuality.com. "There are so many people you have to get on board, and many of them are not getting bonuses in this area. Security and vulnerability management is adjunct and remote to what they're doing."

Conflicts come up even before business units are brought into the security process, said Dickson. "The security group has been in charge, but the people who can effect change are in the software group," he said. Yet even at this level, where the need for collaboration is obvious, getting the security side to collaborate can be challenging. "It's a harsh reality when scaling development," he said. 

If there's a barrier between two groups or people, look to others to collaborate. Sometimes the choice should be made on personality, so tap into app security evangelists in software, IT and business units for first efforts at a cohesive security program. "Once one or two groups start to show success with collaboration, others get the message," said Dickson. For security architects and managers, as well as CIOs and CEOs, "convincing the units to work together is a sales job."

More on Internet Application Security

  • canderson

    An introduction to Web application threat modeling

    VIDEO - Video: VerSprite's Tony UcedaVelez explains how Web application threat modeling assesses Web risk and how it differs from penetration testing.
  • canderson

    Jason Huggins demos software testing improvements at STPCon 2011

    VIDEO - Watch this STPCon 2011 video of Jason Huggins of Selenium and Sauce Labs, in which he gives some information about his conference demonstration. He relates software testing improvement ideas to his handmade robot that can play Angry Birds on an iPhone.
  • Can the Wyvern programming language improve Web app security?

    Answer - A new programming language called Wyvern is helping developers use multiple languages in one app securely. Application security expert Michael Cobb discusses.
  • Data privacy lawyer explains 'data by design'

    News - Data privacy lawyer Jeff Kosseff discussed the current state of data privacy law as it applies to big data at the Big Data Tech Con in Boston.

    ( Apr 27, 2015 )

  • Software security testing: Where to start

    Answer - For those of us new to software security testing, it can be an intimidating field of study. Where do the veterans suggest we begin?
  • Testing techniques for data exchanges and interoperability

    Tip - Testing data exchanges involves the ability to view, track and verify messages, among other things. Here are techniques for testing data exchanges.
  • software attack surface

    Definition - The software attack surface is the complete profile of all functions in any code running in a given system that are available to an unauthenticated user. The more surface there is, the better the chance an attacker or a piece of malware can use various exploits to gain access and run code on the target machine.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: