A Missing [Security] Element in Software


By (ISC)² COO Wesley Simpson

Wesley-Simpson.2-231x300 A Missing [Security] Element in Software

Security. It’s a concept that many organizations view as an optional or ‘nice to have’ faction. Application security is a particularly important topic for organizations to consider when dealing with software vendors and creating software products – whether internally or outsourced. Every organization needs some variance of an application security program. The specific design of each program will vary based on needs and risk tolerance.

According to the (ISC)²® 2015 Global Information Security Workforce Study, application vulnerabilities was identified as the top threat concerning security professionals today. This is nothing new. Vulnerabilities in software have been a known problem for many years. In fact, the last three (ISC)² workforce studies have placed application vulnerabilities at the top of the threat list.

The problem originates from the mantra that software vendors have adopted to get product to market as quickly as possible and to bolt security on later rather than baking it into the entire software development lifecycle.This is a backwards and costly approach. I liken it to a car company developing new automobiles and releasing them to the public without testing the seatbelts. If one of those seatbelts failed, there would be public outcry. Now imagine if the entire line of these automobiles had faulty seatbelts that garnered a mass recall. This level of protocol and public influence is still lacking in the software community; but it needs to change.

For internal software development, it’s important to:

  • Build relationships between security and development.
  • Build security objectives upfront and make sure security is included in the initial discovery phase before the project begins.
  • Train your developers, business analysts, project managers and product managers.
  • Build code analysis tools into the workflow for all developers.
  • Test, test, test. When in doubt, test more.
  • Create a responsible disclosure program.
  • Learn about new trends: crowdsourcing, bug bounties.
  • Maintain good hygiene for configuration management and segmentation.

For outsourced software development, these factors are most important:

  • Apply rigor to the supply chain.
  • Be clear and ensure that security expectations make it into the contract. Read all EULA’s.
  • Question suppliers when new vulnerabilities come out about common components.
  • Know your own risk. What data could be impacted and what is the risk and impacts if it was compromised?
  • If nothing else works, develop a mitigation plan commensurate with risk exposure.
  • Don’t ignore compliance, governance and standards, let them do the hard work for you and be the bad guy.

While that outlines the specifics for internal versus outsourced secure software development, the individual professional component must also be addressed. Here’s the best advice I can impart to help you as professionalsfoster a culture of secure softwaredevelopment in your organizations.

Be Proactive

Being proactive means knowing the questions to ask. Does your company support and embrace proper security standards? Do you have C-level buyin, budget and commitment? Also, really think about the implications of both professional and personal technology decisions.

Be knowledgeable

Keep up to date on industry happenings, including policy and law debates, new technologies and potential risks. As IT professionals, we are a source of knowledge, expected to provide expertise and context from our personal usage of IT as well. Share this knowledge with others – bosses, companies, family and friends. Knowledge has the most power when transferred; not retained.

Be involved

If you have something to contribute, then do so. Don’t just sit back and assume things are happening. Report findings, be ethical and do something that matters. You have the power to potentially impact and even save lives.

Demand better

Whenevaluating technology solutions, you don’t need to be a security professional to ask what providers or vendors do about security. Have that talk. Play the role of a professional consumerby learningabout the security aspects that come along with technology you want to use. Who has a disclosure program?  Who is leading the charge on security and using security as a differentiator? These are the organizations that deserve your dollars.Vote with your feet and your wallet if you do not feel secure with their solutions.

Get trained

Educate yourself on secure software best practices. As quickly as technology evolves today, it’s crucial to stay up to date on the latest threats and best practices for software development. Be active in local chapters and organizations.


The plethora of data now available to us through what has become coined as the Internet of Things has created more need for automated processes. Reduce manual processes complicated by human error where possible.

Most of all, Live

We live in the most exciting time in history for technology advancement. Balance the risk versus reward. Also, learn to balance the fun with probability and make smart decisions. As professionals, we have the opportunity to help solve some of the issues with policy, security, laws, safety and privacy.

The improvement in overall software quality leads to less defects, a better user experience, reduces risk through good governance, enhances the ability to respond to findings quickly and increases awareness. Building and enhancing application security programs in our organizations will go a long way toward making better software. The key to solving and preventing these risks lies with all of us; and through proper training, education and awareness, we will all become better consumers and employees.