Application security is a top concern for security professionals. It's also an area that many chief information security officers (CISOs) spend the least amount of time on, according to recent surveys. Why is there such a disconnect when it comes to security professionals' involvement in their organizations' software security programs?
CISOs have traditionally worked with network security, and now they need to acquire the skills to work with application development and vendor management, explained Chris Wysopal, co-founder and CTO at Veracode, during an interview with SearchSecurity at the 2014 RSA Conference.
"It's been pretty difficult for CISOs to get their hands around application security because traditionally they have never been engaged with the software development organizations or vendor acquisitions if [the company is] buying software," Wysopal said. "Typically that's done by the CIO."
That is changing, according to Wysopal: "Organizations have done a good job with network security and host security, and when you do that, the attackers go somewhere else." In addition to social engineering and phishing, attacks on Web applications have increased, he said. "The risk has been increasing over time, and it gets to the point where you can't ignore the issue."