Despite the data breaches resulting from hacked or compromised applications and the lack of compliance with regulations, 38 percent of security practitioners and 39 percent of developers say less than 10 percent of the IT security budget is dedicated to application security, according to the Ponemon Institute's study.
"We set out to measure the tolerance to risk across the established phases of application security, and define what works and what hasn't worked, how industries are organizing themselves and what gaps exist," says Dr. Larry Ponemon, CEO of the Ponemon Institute. "We accomplished that, but what we also found was a drastic divide between the IT security and development organizations that is caused by a major skills shortage and a fundamental misunderstanding of how an application security process should be developed. This lack of alignment seems to hurt their business based on not prioritizing secure software, but also not understanding what to do about it."
"We basically found that developers were much more likely to think there was a lack of collaboration," Dr. Ponemon says. "The security folks, on the whole, thought the collaboration was OK. I think that one of the biggest problems is that the security folks think they're getting the word out on collaborating or helping, but they're not doing so effectively."
In other words, Dr. Ponemon says, the security organization writes its security policy and gives it to developers, but the developers, by and large, don't understand how to implement that policy. The security organizations think they've done their job, but they haven't managed to make their policy contextual for developers.
Application security training required
"We find that process has no bearing whatsoever on the ability of an organization to write secure code," Dr. Ponemon says. "It doesn't take any longer to write a line of secure code than it does to write a line of insecure code. You just have to know which one to write."
But knowing which line of code to write seems to be a large part of the problem. The study found that only 22 percent of security practitioners and 11 percent of developers say their organization has a fully deployed application security training program. Fully 36 percent of security practitioners and 37 percent of developers say their organization had no application security training program and no plans to deploy one.
Ed Adams, CEO of security firm Security Innovation, says he believes providing that education will go a long way toward helping organizations secure their applications and minimize the risk. This is more of an education problem than anything else," Adams says. "In the late 90s, everybody was putting their applications on the web. But they kept on crashing. It was really a performance problem: The developers didn't know how to code for performance. Amazingly, that's what's happening in the world today. Organizations are buying application security tools before they get application security training. You have to get trained on the technique first."
Writing secure code the first time is also a good way to save a bundle of money, Tipton says. Write better applications," he says. "A company pays 30 times as much to bolt security on after the fact. IBM claims it's 100 times."
Opening the door to security careers is childs play
Meanwhile, in addition to its series of security certifications, (ISC)2 is doing its part to bring a new generation of security professionals into the field. "Kids coming into the workforce today know 10 times as much about computers as previous generations," Tipton says. "They are prime candidates for sophisticated work in security. We have to create a pipeline that starts in schools-from colleges to continuing education."