C. Warren Axelrod

Where Are the AppSec Candidates?

I recently gave a presentation at the 2013 IEEE LISAT (Long Island Science, Applications and Technology) Conference on “Mitigating the Risks of Cyber-Security Systems.” First, I pointed out the important differences in definitions of cyber-security systems … some (such as the National Science Foundation) consider them to be embedded systems which join together physical control components and computational applications; others (such as I) take a more holistic view wherein cyber-physical systems comprise the interconnection of Web-facing and network-based distributed data-processing applications. The talk was based on my recent book “Engineering Safe and Secure Software Systems” (Artech House, 2012).

In the Q&A period, a member of the audience described his great difficulty in finding and hiring qualified applications security engineers and developers and asked for suggestions. My response was basically that there are very few such animals and that he can hire consultants to train his programmers and to review the architectures, designs and code proposed by his people. I also said that it is better (easier) to train software engineers in security than to train security experts in software development. I mentioned that there are few, if any, colleges producing undergraduates with the combination of development and security skills needs, and suggested that he have his applications manager and developers take courses, obtain graduate degrees from colleges and universities, attend seminars and conferences (such as SANS … see http://www.sans.org/ ), join organizations such as OWASP … see https://www.owasp.org/index.php/Main_Page  , and (although I forgot to mention it at the conference) obtain a certification such as the CSSLP® (Certified Secure Software Lifecycle Professional) …see https://www.isc2.org/CSSLP/Default.aspx

I also advised that the prime motivators for implementing an effective application security program requires full support from senior management (a precursor to which is educating executives about the importance of implementing secure software), and often pressure from business partners and customer organizations, whether in the public or private sectors. In a subsequent discussion I pointed out the impact of Bill Gates’s pronouncement more than a decade ago of Microsoft’s Trustworthy Computing Initiative as being a strategic necessity. Microsoft’s SDL (Security Development Lifecycle)—a misnomer in my book (literally!)—has had tremendous positive impact in raising the security bar of Microsoft products and may well have influenced other development shops to improve their security efforts.

The truth of the matter is that, despite all of these resources, there is a serious lack of qualified application security experts, particularly those with extensive programming knowledge and experience. And those that become available are quickly snapped up by big companies, government contractors, and government agencies. This leaves smaller firms with little choice but to try to obtain third-party assistance, which is often limited and always costly.

Post a Comment

Your email is never published nor shared. Required fields are marked *