Software developers are paying greater attention to application security, but a shortfall in qualified staff is serving as an impediment for many organizations, according to a recent SANS Institute study. With a growing spotlight on software security, it may be the case that organizations need better tools for prompting employee buy-in and encouraging education in this area.
According to the 2014 Application Security Programs and Practices survey, approximately 83 percent of respondents reported their organization now has an application security program in place, a substantial increase from the 66 percent who said so the year before. Additionally, more than 37 percent reported that their Appsec program has been operating for more than five years. While the general upward trend was encouraging, there are still many roadblocks facing companies looking to improve software security, analysts noted.
One of the biggest barriers for improving application security is that there is a lack of personnel with the adequate skills and experience, the study noted. One issue, according to some experts, is that application security is not a focus from the beginning in the developer education process. Information security researcher David Lacey told SC Magazine UK that he believes there needs to be a greater emphasis in information security training on skills like project management and marketing, explaining that companies need staff who can encourage buy-in for Appsec initiatives.
"These skills are not encouraged in the current syllabi that you see in information security training," he told the publication. "My advice would be, scrap the whole lot and start again. I'm more into revolution than evolution because I think it's a step change that's needed."
Improving skills and improving security
One aspect of application security that is becoming more prevalent is testing. According to the study, more than 35 percent of respondents reported testing the security of their applications on an ongoing basis, up from 23 percent the year before. Additionally, just 3 percent said they did not test at all.
More ongoing testing during the development process could be one effective way for companies to both encourage Appsec buy-in and educate developers as employers look to close the skills gap. Tools like static analysis software let developers run automated tests on their own code to quickly scan for potential security errors. Placing testing in the hands of developers can be an effective strategy for correcting bad habits. Peer code review programs can also be effective, leveraging the expertise of developers with strong security backgrounds to examine the work of less experienced employees.
Companies can also strengthen software security programs by making sure their employees are in the right roles, Amanda Finch, general manager at the Institute of Information Security Professionals, told SC Magazine UK. Shifting developers with credentials in security to more of an application protection role can maximize the power of their knowledge throughout the organization, for instance. According to Francois Gratiolet, European CSO for Qualys, improved automation of security functions will also help. Nonetheless, businesses need a combination of tools and processes that encourage application security.
"Automation alone is not a magic bullet," he told the source. "Businesses themselves must start raising awareness of good security practices within their own organizations too."
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.