What are the pain points in enterprise software security management? It's not technology; it's people. Enterprise application security is complicated by the number of business units involved, most of which have insufficient incentive to join requirements and ongoing vulnerability efforts. Scaling application security calls for an enterprise-wide vulnerability management strategy, a means for disparate teams to collaborate on security, according to Dan Cornell and John Dickson, both principals at the San Antonio-based consultancy Denim Group.
"The security group has one reporting line, and then there are multiple groups with other reporting pipelines," said Cornell, who is also the resident software security expert on SearchSoftwareQuality.com. "There are so many people you have to get on board, and many of them are not getting bonuses in this area. Security and vulnerability management is adjunct and remote to what they're doing."
Conflicts come up even before business units are brought into the security process, said Dickson. "The security group has been in charge, but the people who can effect change are in the software group," he said. Yet even at this level, where the need for collaboration is obvious, getting the security side to collaborate can be challenging. "It's a harsh reality when scaling development," he said.
If there's a barrier between two groups or people, look to others to collaborate. Sometimes the choice should be made on personality, so tap into app security evangelists in software, IT and business units for first efforts at a cohesive security program. "Once one or two groups start to show success with collaboration, others get the message," said Dickson. For security architects and managers, as well as CIOs and CEOs, "convincing the units to work together is a sales job."