If you’ve heard it once you’ve probably heard it a thousand times: time to market is critical. Indeed, when it comes to software development, many business executives, marketers, product managers and sales weasels live and breathe by this mantra. Just get it out the door and we’ll fix the stuff that needs fixing later.
We’ve all experienced this scenario in some capacity. And we’ve seen what can happen. Security suffers, data breaches occur, executives get bent out of shape and perhaps some heads roll. In a classic case of saving face, the stakeholders in management predictably ask “How in the world did this happen!?” and will often go on to proclaim “We can’t let this happen again!” The cycle continues…
But you know what’s interesting? I’m not seeing this scenario as much these days. Instead of time to market holding back Web application security, it’s now cost. Always an underlying consideration, cost is now at the forefront of IT and application security. It’s driving virtually everything in business today. That’s fine. I understand the need to pick and choose where money goes. The problem is that it’s not going to security the way it needs to be.
Case in point: I just had a conversation with an acquaintance who’s a solutions architect at a Fortune 500 company. After telling him what I do for a living he sort of smirked and said “Yeah, we need to be heading towards better application security but instead we’re going in reverse.” He validated the very thing I’ve been seeing of late by telling me that it used to be that time to market was the excuse for poorly-written code but now it’s cost. He said plain and simple, that management just doesn’t want to spend the money that needs to be spent on application security.
Saying the cost is too high to spend money on application security highlights two core problems:
- IT professionals not doing enough to educate management on what’s at risk what there is to lose in the context of their unique business
- Management choosing to ignore the realities that we’re all facing with application security today
Seeing how quickly businesses are going in the opposite direction with security in the software lifecycle begs the question: when will the right time come to spend money on security? How many breaches? How many lawsuits? If application security were any other key business function, it’d get the visibility and attention it deserves. Management just doesn’t see it that way.
If you step back and look at this problem, it’s a chicken and egg situation. The mindset of “If we only had money to spend on application security, we could be more secure.” is like saying “If only that fire would put out some heat we’d throw some logs on it”. As with any capital investment or operational expenditure, application security is a choice. The money is there, it’s all in how it’s being spent. Cost is the current management excuse for not spending money on the testing, training and other things required for solid and secure software. It’s up to us in IT, information security and software development to change that.