Information Security in Application Development Projects

7 03 2012

At my organization, Information Security has historically been disregarded.  For a company with 15,000 employees in a highly regulated industry, this is hard to imagine.  Fortunately, executive management now appears to see the importance of this function as they have finally hired a Manager of Information Security.  Since this new manager came onboard roughly two years ago, many significant positive changes have taken place and the organization is definitely more secure than in the past.  However, it takes time to become highly efficient and successful in this area, as technology is constantly evolving and it is necessary to stay one step ahead of the game.  To this end, I believe that the lack of security in application development and project management processes is still a major weakness in my organization and a considerable amount of effort will be needed in order to reduce the likelihood of security issues in this critical area.

Apparently, I’m not the only one that is worried about information security being minimized when planning application development projects.  It appears to be a weakness that many organizations struggle with.  Robert J. Ellison of the Software Engineering Institute at Carnegie Mellon University states, “An organization can either incorporate security guidance into its general project management processes or react to security failures. It is increasingly difficult to respond to new threats by simply adding new security controls. Security control is no longer centralized at the perimeter. Meeting security requirements now depends on the coordinated actions of multiple security devices, applications and supporting infrastructure, end users, and system operations. Reengineering a system to incorporate security is a time consuming and expensive alternative. [1]”  I agree with Ellison in that it is by far cheaper and easier to build quality into the product upfront than to fix it once it has been developed.

Why does security get overlooked so often when running an application development project?  While I’m sure that there are many reasons, Ellison seemed to hit the nail on the head when he said, “Software errors can be introduced by disconnects and miscommunications during the planning, development, testing, and maintenance of the components. Although an application development team may be expert in the required business functionality, that team usually has limited or no applicable security expertise. [1]”  Brian Koerner, a chief security engineer for a Fortune 500 computer services firm, seems to have a similar opinion.  He states that, “If an organization is serious about developing secure applications, it is essential for it to bring in the security professional early in the development process. The security professional should understand the purpose of the application and how it will be used, as well as have an understanding of the business and security requirements that apply to the solution. [2]”

John Steer, a Senior Security Consultant with Microsoft ACE Services, summarizes the importance of information security in application development projects by saying that, “Too much software is developed without security as a feature.  It is interesting how many companies rely on the sale of software intellectual property as a source of revenue yet do little to protect that property. Working in application security, I often notice how many companies have elaborate security policies for protecting physical and information infrastructure, but who never extend that effort to the application development process.  Many companies overlook the use of security policies when protecting their software application layer and related intellectual property. When an application is developed without regard to security, that application can become a threat to the environment in which it is deployed. Obviously, this process puts both the development organization and the end user organization in a security deficit.  To make security part of the application architecture, designers need to understand the requirements of the security policy so that they can properly build these things in as feature requirements. [3]”

In summary, I believe many organizations are struggling with similar security concerns in the project management and application development space.  It is unfortunate that this is the case, but internal expertise and the inability to find suitable professional resources for these roles have compounded the problem.  Regardless of these challenges, it is imperative that my organization begins to work towards integrating security into the lifecycle of an application development project.

___________________

[1]  https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/project/38-BSI.html

[2]  http://www.certmag.com/read.php?in=3401

[3]  http://technet.microsoft.com/en-us/library/cc512576.aspx

Advertisements

Actions

Information

One response

7 04 2012
Custom Software Development Companies

Your post is very informative and more interesting. I like it very much and it is more useful for me to develop the Software Applications.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: