As pressure to speed the development of applications intensifies, CISOs must be the "voice of reason," taking a leadership role in ensuring security issues are addressed early in the app development process, says John Dickson, principal at Denim Group, a Texas-based security consultancy.
"With competitive forces driving faster software deployment schedules, security architects are implementing end-to-end automation and other strategies to ensure rapid software deployment does not leave security behind, But still the chasm between security and application development functions remains wide," Dickson says in an interview with Information Security Media Group at the recent 2016 RSA Conference Asia Pacific & Japan.
Security teams across all business sectors are struggling to adapt to the faster application development cycle, Dickson says. "It is a question of building a security culture to adapt current application security and software development lifecycle approaches with more automation to understand software-associated risks," he says.
Challenge for CISOs
One challenge for CISOs, he points out, is that many lack expertise on application risks, having focused primarily on network security issues. Thus, they may fail to ask the right questions of application development teams to discern potential risks.
"To ensure the application development environment is secure, CISOs need to take an adaptation approach to automate every security process possible and squeeze application testing cycles and automate the entire process - and fully automate the application vulnerability resolution process, too," he says.
In this interview (see audio link below photo), Dickson also offers insights on:
- How automation helps in identifying web application vulnerabilities;
- Steps to deal with software-associated risks;
- Building a security culture in the application development environment
Dickson, principal at Denim Group, has nearly 20 years of experience in intrusion detection, network security and application security in the commercial, public and military sectors. He helps CSOs of companies and government organizations launch and expand their critical application security initiatives.