Chris Wysopal, CTO and co-founder, Veracode --
I recently led a roundtable event in New York and Washington, D.C., entitled “5 Trends Shaping Software Security.” This event involved several high-level CISOs, and we focused on creating awareness of software security issues within enterprises.
The general consensus was that developer awareness seems fairly mature, while executive awareness remains spotty. Many of the executives were interested in the idea of metrics, particularly in comparing peer groups. Metrics around secure software could be used to create accountability within business units, generating monthly reports to show who is creating secure software and create a positive competition between groups.
A few main topics discussed at the roundtables:
Technology trends: Web 2.0 and emerging mobile devices were top technology threats. Concerns were expressed about the impact of virtualization and Software-as-a-Service on software security. Concerns ranged from a lack of understanding of the new risks introduced by virtualization to new software development methodologies and a lack of recognition of the ‘enemy’.
Managing security from a business perspective: Progress is being made, but balancing compliance, risk management and business drivers continues to be a challenge. Using clear, simple metrics to create corporate accountability is a key goal. Multiple participants mentioned the challenge of balancing security compliance and time to market for delivering software.
Creating a market demand for software security: Most felt that a security standard approach rating system should be applied to commercial off-the-shelf software as well as outsourced development.
Development best practices: Successes were discussed in areas of increasing developer awareness, and a few leaders had strong programs that spanned the entire software development lifecycle. Security success starts at the code level. Ensuring secure code needs to be a priority – preventing flaws like hidden backdoors -- a serious vulnerability that can provide sophisticated hackers easy, undetected access to an application and the highly confidential customer or company data that resides in it. Left intentionally or unintentionally, backdoors are a way developers can bypass authentication or other security controls in order to access the software application, and are often left in by accident. However, this increases the security risk of an entire organization.
What do you think? Have you experienced security success in your organization? What are the trends in your organization around shaping and monitoring software security?