Explaining the “why” of Web application security

Looking at the bigger picture of application security it seems that no one else really hears us. Sure, product managers, marketing, legal, HR and even certain people in management say they understand what’s at stake. But are they really on board?

Business leaders have learned that they must teach, train and develop their employees. Otherwise, they can’t expect people to perform at their highest levels. The same goes for us working in and around IT and Web application security. We can try to be high and mighty telling people the sky is falling because our Web applications aren’t secure. We can tell people all day – every day – that they can’t do this, that or the other – all in the name of Web security. But we have to be realistic and ask: how’s that working for us?

Skipping formal teaching, training, and development, and instead forcing Web security on other people doesn’t work all that well. It’s like trying force a religion or political ideology on others and expecting them to just say “Okay, whatever you say.” People and politics just don’t work that way. In fact, many people couldn’t care less about Web application security. Just because something is important to us doesn’t mean it is (or has to be) important to everyone else. Combine the forced messages with ego – something most of us working in IT have struggled with (and need to get over) – and you’ve got a recipe for application security mediocrity.

Rather than spouting no, no, no in a one-way binary fashion without any explanation of where we’re coming from, we need to outline why we’re saying what we’re saying. Why we’re recommending that we need to tighten down on application security controls. Why we’re recommending we spend money on making the development lifecycle better. Why application security matters to the business as a whole.

It’s like continually telling a child not to do something. It just doesn’t work long term. We have to explain why.

We must communicate the value of application security. This means showing that gaining control and visibility into our Web environments is better than the alternative. It also means demonstrating – where it’s reasonable – how Web application security can serve as a competitive differentiator and most definitely impacts the bottom line. But it’s not going to happen unless and until we help push the message forward clearly and respectfully and show its value in the context of our businesses. We’re often Web application security’s worst enemy and we need to come up with ways to fix that.