Jeremiah Grossman dives into the question, Why isn’t more money being spent on Application security when it is obviously important today?
During an event a panel of Gartner Analysts asked the audience what the best way is for organization to invest $1 million dollars in effort to reduce risk. The choices were Network, Host, or Application security… The audience selected Application security. However, the Gartner CSO (who took the role of CIO in the play) overruled the audiences’ decision. They instead selected Network security, while at the same time curiously agreeing that Application security would have been the better path. His rational was that that it is easier for him to show results to his CEO if he invests in the Network.
He has a point!
I also believe it has to do with visibility and knowledge. We’ve had networking and systems around for quite some time, and we’re getting better at operationally baking in and showing security. I don’t think we’re nearly as mature with application security. Unless someone codes, they really just don’t get it because it is hard to visualize and measure.
There is also an experience or knowledge gap where, again unless you’re a developer, you really can’t effectively explain or demonstrate security or how to code securely. I’ve seen “senior” developers who have zero thought about security other than on a most basic level (i.e. “sure we have admin and normal user types in the system…”).
The rest of Jeremiah’s article is also excellent reading. I love his point about the immediacy of results. That’s a frustrating business mindset for technical problem solvers.
Maybe that gets into the realm where the business needs to start working with IT, as opposed to *only* saying IT needs to align with business.