Challenges for Software Security Professionals

Friday, December 02, 2011

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

So, recently I asked my Twitter followers to answer the following:

"In 3 words describe the Challenges of Software Security Professionals".

What I got back were some 93 or so answers... some meant to be funny, others absolutely serious... but all convey a few points.  The spreadsheet is here if you want to see it for yourself.  (I will try and keep this available for a while so everyone can take a peek).

Now, while some of you jokingly went through and re-sorted each of the columns to make up some fascinating combinations ... in the end a word cloud emerged that told an interesting story (thanks to Chris Sumner, aka @TheSuggmeister on Twitter).

 

Software Security Assurance Challenges - Word Cloud.jpg

Frankly folks, I'm not sure what to make of this.

The first few words that strike me besides developers (obviously?) is the big BUDGET right in the middle, then security in smaller print (which is weird, isn't it?)... then I get caught up on education, fix, nobody... then CLICK... then communication, insufficient and LACK in big bold letters. 

My eye even gets caught on "politics" and TOOLS in big bold letters... then UPHILL and APATHY.  Dang... we're a cynical bunch aren't we.

The thing is, this is probably the correct sentiment when looking critically at software security challenges from the security practitioners point of view.  Makes me wish I had access to more developers on Twitter... I wonder if they would answer differently.

So what catches your attention?  What are your eyes drawn to?  What conclusions can you draw here that may be insight into how we can improve the state of software security in the enterprise?

Cross-posted from Following the White Rabbit

Possibly Related Articles:
18197
Webappsec->General
Software
Enterprise Security Application Security Development Software Security Assurance Infosec Professional
Post Rating I Like this!
Default-avatar
Chris Rich Cynicism aside, I think these keywords show the frustration is a result of strategic decisions bound by already tight budgets and the influence of shifts that come from having to realign goals to deliver a working security plan. End products/solutions can sometimes disproportionately satisfy non-security priorities adding to this frustration or were invested in with certain expectations only to find later that they did not sufficiently address all of the needs as initially thought.

Quantifying ROI on security investments is like issuing an insurance policy for a ship at sea that’s been in uncharted waters for years, however at NetWrix, our approach to delivering security to organizations is straightforward. Our goal is to offer integrated tools that implement quickly and cost-effectively to get a working robust solution in place so security objectives can be met and managed day-to-day while keeping all vested parties within the organization happy. Furthermore, this is all we do: Security, compliance, change auditing. Combined they can take the challenge out of the equation and just work.

Chris Rich
Product Manager
http://blog.netwrix.com
NetWrix is #1 for Change Auditing: Simple, Lightweight, Affordable
1323352164
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.