Application Security: An Afterthought for Most Organizations

My comment on this article from Infosecurity - The PonemonInstitute: Most Organziations are Woefully Behind in Application Security  was too long for LinkedIn where I found the original link so I stuck it out here.  A relevant and I think fairly accurate assessment when it comes to corporate IT application developers and security practices.  A generalization but a lot application developers are not adequately educated when it comes to application security practices.  Security is seen as a checkpoint item somewhere in the project lifecycle (if at all) versus integrated into the SDLC.  Another force at work is the relationship between the application developer and the security team.  It's not always a healthy one where application developers perceive correctly or not the security team's mission of just saying no.   

The other big elephant in the room is that the current security practices installed in most of the corporate world is the perimeter based defense approach to security, i.e. firewalls, proxies, dmzs etc.  This gives the application developer a false sense of security for their internally hosted applications and as result internal breaches account for some of the more devastating security breaches.  It's possible that the emerging thoughts around zero trust networks will help address this but it's certainly in the early stages.

From my viewpoint in the enterprise architecture world I think seeing security as a strategic enabler versus a defense or checkpoint can give an organization the ability to innovate at a far faster pace than those that do not.  Those that perceive security as a necessary evil or a drag on their efforts will struggle to keep up.  The great challenge of course is elevating security to that strategic enabler role and getting application developers to understand the importance.  Again an excellent article and a must read for CIOs and Enterprise Architects.