Client Requirement and Business Drivers
The bank therefore implemented an initiative to focus on reducing security vulnerabilities early in the software development lifecycle; a critical element of this was training for the large development community around the world. The first step was to establish a common level of awareness of application security issues and how to address them.
It was decided to engage with Commissum as an independent, expert to propose a “quick fix” solution to spreading awareness with minimal disruption to the day to day operational activities of the developers. The solution agreed with the bank was a small bespoke e-learning package (a training "nugget") based on the OWASP top 10 security vulnerabilities.
The main driver for the requirement for training of the software development community was the recognition that:
- It is a fact that the majority of security vulnerabilities are found in the application layer
- Despite many initiatives regarding security, and regular, comprehensive testing of systems, security issues at the application level were still a primary area of concern and frequently the reason for re-work on projects and the cause of security incidents
- Timescales on most application development projects were critical to meeting business requirements
- There is always a delicate balance between functional requirements, business needs, and security risk
- Developers are usually focused on ensuring that business functional requirements are delivered within the timescales set down by the business
- In this environment, it was frequently too easy to overlook critical flaws in design or not follow best practice development methodology