We cybersecurity professionals spend a heck of a lot of time in areas like endpoint security, network security, and overall threat management. In the dozen years I’ve been focusing on cybersecurity, this situation hasn’t changed. Unfortunately, this means that we haven’t paid enough attention to software security in the past, and we continue to maintain this basic status quo approach today.
What’s even more troubling is that organizations always seem to believe that the software they develop is far more secure than it actually is. In the recently published ESG research report titled, Cyber Supply Chain Security Revisited, ESG asked 280 cybersecurity and IT professionals working at U.S.-based critical infrastructure organizations how confident they were about their organizations’ internally-developed software (disclosure: I am an ESG employee). Nearly half (47%) said they were “very confident,” while another 43% were “somewhat confident.”
While IT and cybersecurity professionals seem to be brimming with confidence about their software security, further ESG data makes you wonder why this is so. For example, 33% of the critical infrastructure organizations’ surveyed have experienced a security incident related directly to the compromise of an internally developed application. Furthermore, only about half (52%) of these same organizations have an enterprise mandate for a secure software development lifecycle (SDL) where ALL software development activities must adhere to a rigorous set of security processes. The rest of the organizations give developers plenty of leeway to figure out how much software security is or isn’t necessary on a case-by-case basis.
In my humble opinion, there is a fundamental disconnect around software security at many organizations that resembles the old 80/20 rule. Enterprises tend to employ rigorous policies, processes, testing, and controls for business-critical software (i.e., the 20%) but are much more lackadaisical with the other 80% of code they write. This gives the security team a false sense of confidence, as they equate their organizations’ overall software security with a handful of applications rather than the whole enchilada. Associated software security with mission-critical application security would be like judging your overall home security based solely on the high-end deadbolt lock you installed on your front door. Bad guys will simply eschew the front door and break into your house through open windows and shabby basement bulkheads.
Business executives and corporate boards should really find out for themselves just how secure their internally developed software is – not just the 20% of mission-critical applications, but the entire software portfolio. Oh, and since software security is a pretty specialized field, it’s best to seek out third-party software security experts from companies like HP, IBM, Rapid 7, Security Innovation, Veracode, or White Hat Security to perform an independent assessment rather than rely on the overly confident internal security team.