IT security auditors, whether they’re in-house or external, are forming stronger relationships with IT and security staff. They have to in order to effectively perform their audits. It’s good for the auditor, IT staff, and the business as a whole. When everyone’s on the same page, information flows freely and informed decisions can be made about security.
The problem is, not everyone is on the same page. Namely software developers.
In virtually every situation I’ve come across, developers have been out of the loop on discussions concerning IT audit, compliance, and overall governance. Yet, the decisions they make and the work they do have a profound effect on the business’s security posture. I’m convinced this is a large reason why we still have so many web security risks to contend with.
Based on my experience, I’m willing to bet that IT audit’s involvement with software developers in any given organization is checkbox-based at best:
Auditor: “Do you incorporate security into your software development practices?”
IT representative: “Yes. Our developers do that.”
Auditor: “Great, thanks.”
The roles and expertise for ensuring proper web security oversight do exist but the means for actually bringing it all together is faulty. Simply put, web security is not being addressed at the proper level.
Not that IT auditors are all knowing; it’s just that they have one thing that many people in IT and information security don’t: the ear of management.
I see the scenario time and again where IT admins or security managers beg and plead for the proper resources to properly test and secure their web applications; yet their requests fall on deaf ears. But when an IT auditor documents detail web security concerns in his audit report, suddenly the board is involved, legal has a hand in it, and management miraculously comes through with money and support.
I believe that this is not an intentional oversight in the business-audit-security cycle. I think it’s more of a side-effect of how business, IT, and software development has evolved.
Acknowledging the problem is half the battle. Do your part to bring everyone together and keep the conversation going.
Auditor, meet developer. Talk among yourselves. Get to know each other. You just might learn something.