What is causing the disconnect between IT auditors and Web development?
This is an interesting dilemma in the enterprise. There are plenty of disconnects between developers and the rest of the organization -- even those working in IT -- which can be detrimental to the business.
There's often a technical disconnect, whereby IT auditors, especially the less tech-savvy ones, are completely out of the loop on what Web developers do -- and help prevent -- in terms of security. There's often a business disconnect, whereby both parties have different goals. IT auditors' goal might be to have a clean Web security assessment report, while Web development's goal might be to provide the most functional or resilient application environment. Both goals are worthy, but they're often completely separate, which can create a divide between the groups.
There's often a business disconnect, whereby both parties have different goals.
There can also be a political disconnect, which is often the strongest and most divisive kind. It's a situation I've seen, one where everyone is looking after himself, protecting his own job and interests without seeing the bigger picture of what needs to be accomplished for the business.
IT auditors tend to have the ear of management, and Web development is often seen as just another techie function that runs itself with little need for support or resources. As a result, I've seen developers literally beg and plead for better tools (i.e., source code analysis and vulnerability scanners) and more security training, and it continually falls on deaf ears. Auditors, on the other hand, are able to document a problem and present it to management, and the needed support is quickly provided.
I don't think it's a malicious disconnect. No harm is meant. It's just the way auditing and Web development have evolved, likely due to auditing's continuous connection with management and development's isolation. Developers and IT auditors can certainly have either a positive or negative impact on one another. It pays to get to know each other and to learn what's expected of their roles.
Dig Deeper on Topics Archive
Related Q&A from Kevin Beaver
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading