Article: Application security more of a priority, but practices lag

Discussions

News: Article: Application security more of a priority, but practices lag

  1. An article on SearchAppSecurity.com , "Application security more of a priority, but practices still lag", reports that a Symantec survey has found that more developers consider software security a priority. In fact, 93% of the 400 developers surveyed said secure application development is more of a priority now than it was three years ago. That increase is due to a greater awareness of threats to applications, according to Symantec. However, the implementation of secure coding practices still has a way to go. Time-to-market pressures are still large issues that bump security concerns. In addition, many companies still don't include security in their development life cycles. Symantec's Brad Arkin said, "It's great the numbers are higher, but we're still not getting the coverage we need to protect sensitive data and applications." What will it take to change that? Do companies need to have their applications attacked before they see the importance of including security? Should stiffer rules and regulations be mandated? Or is it an issue of companies not having the resources (people and money) to ensure applications are secure.
  2. Symantec's Brad Arkin said, "It's great the numbers are higher, but we're still not getting the coverage we need to protect sensitive data and applications."

    What will it take to change that? Do companies need to have their applications attacked before they see the importance of including security? Should stiffer rules and regulations be mandated? Or is it an issue of companies not having the resources (people and money) to ensure applications are secure.
    If something is perceived to threaten a company's business, it'll find a way to finance the work. And of course, Symantec would love for security to be more important ;) And just because developers think something is important doesn't mean it's (or has to be) important to the business at large. In some cases, companies actually quantify the costs of a "break-in" and decide they'd rather write that off than try and make their systems more secure. Many companies I've worked at don't know what real security is, don't have a clear and coherent security policy for their systems and if they do, it's not clearly communicated to the dev teams nor is it clearly understood how to implement that policy. Many developers think they know what security is but actually harden the wrong aspects of their systems. Real security takes significant effort and intelligence to design and implement, it's expensive and it's rarely perfect - there's always a hole somewhere. I don't believe more legislation helps - people will still make mistakes or overlook things (due to tiredness, lack of skill or an off-day) and legislation can't address that.
  3. The priorities has offcourse changed a lot over time.Now performance enhancements is being driven in to the development life cycle and not left for after completion phase.So is security concerns. But the way performance engineering has found its way right in to the heart of the development cycle, security is little cornered.Why? because may be, most of the companies building applications are not very much bothered about some hard to find loop holes rather they would prefer their application to perform fast or may be the immediate output is not very visible.You can experience the performance bottleneck every time, but some security loop hole, not always. And ofcourse, datadriven applications will always put more emphasis on security and data integrity,this is not much popular among the community.One reason is, to build secure systems is hard and asks for more indepth skills and complexity is another issue. But we will have to understand that security is as important as performance and managibility.The idea should be-easy,fast and secure. cheers, http://javaicillusion.blogspot.com/