We’ve been talking about building more secure applications for years. And talking. And talking. But, there’s some hope. You are right – we’ve come a long way in understanding the problem. We’ve got several successful companies that we can point to to start to understand the best practices.

That’s why I like the study cited in my post above from Fortify and Cigital. It provides at least a framework for starting the discussion. Even if you have started, you could use the study to compare to what you are doing and see what might be missing.

After several years of working in application security domain and reading this post just by chance, I felt a lot of data points are nicely amalgamated.

I am happy that we have come a long way in understanding the problem – the first step in solving it.

I couldn’t agree with you more. As we have talked before a few times , throwing just the technology at a problem is a bad idea. Without a sound process, all automation attempts can fail regardless of whether it’s ERP, App Security, or any other business process. Process defines the clear path to your goal, automation gets you there faster than manual efforts.

Thanks!

In a recent trip to Dallas, I met with two very different organizations in this area. One had taken the time to first think about their process and their people, prior to looking for products to solve the problem. The second was completely focused on the product accquistion, allowing the urgency of their interest in the space to dominate their thinking, and causing them to delay their planning for the reality of the ultimate roll-out and return on investment. I hope that they can be successful, but it is far from assured.

I hope that people take Neil’s recommendation to heart.

For a supporting discussion of the same topic, take a look at my post “Five Rules to Saving Money by Avoiding Security Shelfware” at : http://suitablesecurity.blogspot.com

Jack