Seeking security for apps? The QMS model is one to consider
Application security is not a technology; it's a professional practice within an organization's mission. Of course, application security tools are a necessary and critical component of the practice. But so is the strength of your overall software development process; the relative experience, knowledge and skills of your staff; and, most importantly, your management's commitment to application security's contribution to the bottom line. Security for apps is an organizational competency.
Let's use an example from a different discipline: quality. If you're a manufacturer, defective products are a terrible drain on your bottom line. The more defects, the more money you lose. Historically, product defects were such a big problem for manufacturers that they developed a formal organizational practice called a quality management system (QMS). The goal of a QMS is simple: zero defects.
Achieving zero defects is hard. To create a manufacturing process that consistently produces products with no defects, you must evaluate the entire process end to end and meticulously root out any behaviors, practices or materials that might introduce defects. This requires total commitment. Sure, you can use tools to help -- for training, testing, tracking, inspection and the like -- but the underlying enabler is organizational competency.
Regarding security for apps, I'm not suggesting that we can literally achieve zero vulnerabilities, but we should be able to achieve zero known vulnerabilities in our applications by not introducing insecure code, weak configurations, outdated protocols or worse. It will take more than tools to achieve security for apps. Just as with the QMS approach, we must look at our application lifecycle end to end and root out any behaviors or practices or components that might introduce vulnerabilities.
