As many are aware, in late 2010, consulting firm, Creative Intellect Consulting UK surveyed (ISC)² members along with other software development, IT and information security professionals and software architects from around the world in order to better understand the impact of security on the software development and delivery processes. The survey results appear in a 17-page report entitled The State of Secure Application Lifecycle Management: A leap forward and backwards for software security. In its introduction, the report author states:
The results of the survey show that security is still not embedded tightly into the software delivery process and that there is a belief, among practitioners, that management is not fully committed to a secure code approach. The culture and attitude or, to be more succinct, the lack of the right mind set for delivering and maintaining secure software, throws light on some worrying concerns. It begs the question as to whether organizations have the capacity for and are ready to deliver secure software targeting next-generation technologies such as Cloud Computing and mobile delivery platforms.
With national security at the forefront of the President’s agenda, I believe it is important to filter the results of this study through the unique perspective of how the global issue of secure software delivery is being addressed within federal programs and best practices. As a former ‘fed’ with over 27 years’ experience in government IT practice and leadership, I have come to several key conclusions about the report findings that I believe are important, particularly for the advancement of the federal government’s endeavor to secure the software development lifecycle. My conclusions are as follows:
1. The need for management buy-in. The report indicates a weak leadership drive for secure software development, with 50% of respondents saying that a focus on secure development is not driven or influenced from the top. Add to this, the high percentage of respondents (over 65%) who believe that management support and investment as a significant contributor is preventing them from improving security across the application lifecycle process, and we have clearly identified a significant challenge for federal agencies to overcome. I find this particularly interesting in light of the fact that our 2011 Global Information Security Workforce Study and our 2010 Federal CISO Survey both conclude the opposite with regard to management buy-in of overall information security within an organization. These studies found that information security professionals have finally achieved management support within their organizations. So then what does this discrepancy say about management’s focus on the area of SLDC vs. its focus on the overall information security of an organization? Something to ponder.
2. The need to change culture. The report demonstrates that another significant factor preventing respondents of the survey from improving security was culture and mindset – with over 73% of the respondents rating this as a high cause. Within the federal government, culture is one of the most significant roadblocks to change, particularly when it comes to innovation and adopting new technologies. While management may play a big role in dictating the culture of an organization, it is an organization’s culture that often dictates recruitment and retention of personnel. By further addressing the issue of an agency’s culture and mindset toward secure software practices, in my opinion federal agencies will be better able to attract and retain those who are skilled in the field.
3. The need for more education. According to the study, most respondents (70% +) would like better education and process support. Within the federal government, this conclusion probably shouts the loudest for the simple reason that it echoes what is currently being communicated through programs like NIST’s National Initiative for Cybersecurity Education (NICE), a variety of recommendations coming from the academic community and legislative initiatives coming from the Hill in an effort to enhance the overall security posture of the United States. For the foreseeable future, education will be one of the key areas of focus for our government as it seeks to “Build Capacity for a Digital Nation” under the Obama Administration.
Whereas, this survey’s findings might be interpreted as a “leap backward” for software security, it is encouraging to me for one simple reason. It confirms that (ISC)² is moving in the right direction by working with the U.S. Department of Defense and other federal agencies that are seeking to build a skilled SLDC workforce through The Certified Secure Software Lifecycle Professional (CSSLP) certification and education program. I am truly excited about where we are headed as an organization and as a profession in an effort to better address the threats in this area of the U.S. federal government and beyond. My hope is that by arming SLDC professionals with the right tools and information, we are not only helping to reduce the global risk of unsecured software, but we are also contributing toward the U.S. government’s effort to retain and recruit skilled government IT professionals.
To obtain a copy of the report, The State of Secure Application Lifecycle Management, please send an email to Creative Intellect Consulting Analyst Bola Rotibi directly at firstname.lastname@example.org. To review a press release detailing the findings, please visit http://www.isc2.org/PressReleaseDetails.aspx?id=7177.