What's ailing enterprise software security management?

What's ailing enterprise software security management?

Date: Mar 08, 2013

What are the pain points in enterprise software security management? It's not technology; it's people. Enterprise application security is complicated by the number of business units involved, most of which have insufficient incentive to join requirements and ongoing vulnerability efforts. Scaling application security calls for an enterprise-wide vulnerability management strategy, a means for disparate teams to collaborate on security, according to Dan Cornell and John Dickson, both principals at the San Antonio-based consultancy Denim Group.

"The security group has one reporting line, and then there are multiple groups with other reporting pipelines," said Cornell, who is also the resident software security expert on SearchSoftwareQuality.com. "There are so many people you have to get on board, and many of them are not getting bonuses in this area. Security and vulnerability management is adjunct and remote to what they're doing."

Conflicts come up even before business units are brought into the security process, said Dickson. "The security group has been in charge, but the people who can effect change are in the software group," he said. Yet even at this level, where the need for collaboration is obvious, getting the security side to collaborate can be challenging. "It's a harsh reality when scaling development," he said. 

If there's a barrier between two groups or people, look to others to collaborate. Sometimes the choice should be made on personality, so tap into app security evangelists in software, IT and business units for first efforts at a cohesive security program. "Once one or two groups start to show success with collaboration, others get the message," said Dickson. For security architects and managers, as well as CIOs and CEOs, "convincing the units to work together is a sales job."

More on Internet Application Security

  • canderson

    An introduction to Web application threat modeling

    VIDEO - Video: VerSprite's Tony UcedaVelez explains how Web application threat modeling assesses Web risk and how it differs from penetration testing.
  • canderson

    Jason Huggins demos software testing improvements at STPCon 2011

    VIDEO - Watch this STPCon 2011 video of Jason Huggins of Selenium and Sauce Labs, in which he gives some information about his conference demonstration. He relates software testing improvement ideas to his handmade robot that can play Angry Birds on an iPhone.
  • cryptography

    Definition - Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it. The term is most often associated with scrambling plaintext (ordinary text, sometimes referred to as cleartext) into ciphertext (a process called encryption), then back again (known as decryption).
  • social login

    Definition - Social login is a single sign-on (SSO) that allows users to authenticate themselves on various applications and sites by connecting through a social networking site rather than typing a separate ID and password on each website. The sites most commonly associated with social login are Facebook, LinkedIn, Google and Twitter.
  • MAM tool options abound for developers

    Tip - Software testing expert Amy Reichert walks through the importance of MAM tools and options for developers looking for one.
  • Companies should evaluate cloud service security

    Answer - As cloud services grow in popularity, enterprises must work with IT to decide what belongs in the cloud and how to secure it.
  • With social apps, protect users and application first

    Answer - Software development expert Dan Cornell discusses security issues, like third parties and data entering the application, found in social apps.

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: