I understand the plight of senior executives, I really do. Most don’t have a software background and that makes it difficult for them to fully understand application security. But when security breeches are caused by basic, simple code vulnerabilities that can be found using readily available tools, it makes me wonder how serious businesses even take application security. Quotes I often hear from CISO’s/CIO’s when their software is compromised include:
“We did penetration testing and I thought that was enough”
“I didn’t think the application was security critical”
“My technical teams told me everything was ok”
Naivety about software is one thing but ignorance is another. I would argue that business executives need to be held more accountable when attacks on critical software are successful. Particularly when these attacks utilize well known vulnerabilities that could have easily been found and fixed during the software development and testing process. There’s no excuse today for vulnerabilities such as cross site scripting, SQL injections, and buffer overflows to compromise security. With all of the information out there about application security, releasing software with these types vulnerabilities is just plain negligent.
For decades, senior executives have used naivety as an excuse when customer data has been stolen. But recently CEO’s and CIO’s are being fired when sensitive data escapes the confines of their company. How soon will it be before an executive is fired after their software is compromised? Not soon enough.