Effective application security means making friends with developers
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM | | Tags:  vulnerabilities ibm security mobile appscan development
0 Comments | 4,387 Visits
Today's post comes from Sydney Shealy, Market Segment Manager, Application Security.
When IT security first rose to prominence (when they gave someone a budget and the title of security manager), many organizations focused on infrastructure security. Over time, while infrastructure security has remained important, application security has proven to be a crucial linchpin to effective IT security. Our very own X-Force security team reports that 41 percent of all disclosed vulnerabilities are found in Web applications. We also know the average cost of a data breach is high ($5.5M currently), enabling us to extrapolate that application breaches are both likely and costly. Beyond this, statistics also show that the costs associated with remediating an application vulnerability are lower the earlier in the software development lifecycle the found vulnerability is uncovered and addressed. This fact should provide further encouragement to establish a clear process for addressing Web and mobile application vulnerabilities.
All this said, what makes application security unique is that application security vulnerabilities cannot be effectively addressed without a direct relationship with your development team, who actually remediate the vulnerabilities. At the risk of stating the obvious, most developers are not security experts and are not looking for additional work. In the recent weeks, I've heard first hand from several IBM customers who leverage our own application security solutions to secure their Web applications against attack. I learned that capable tools are critical, but these tools are not useful if they don't foster communication with development teams and provide simple steps to remediate found vulnerabilities. All of these customers I heard from worked hard to simplify the notion of application security, to integrate security into current software development processes, and to make security an acknowledged component of these processes. Their results speak for themselves.
Built on insights like those shared above, our IBM Security AppScan family is designed to not only equip your organization to find and remediate Web and mobile application vulnerabilities with a market leading suite of software for static and dynamic application security testing and reporting, but also to break down the silos between security and developer. At the end of the day, isn't our common goal to build strong applications?