The idea behind the Application Security Industry Consortium is simple: Create a way to tell software buyers something about the relative strength and weaknesses of the application they are evaluating. Make it so that at the end of the day, buyers have a way to measure one application against the other, like auto crash test ratings. What are the vulnerabilities in this database, that e-mail program or any code for sale?
At the recent RSA security show in San Jose, California, a group of vendors, analysts and security professionals announced they had formed the new consortium, called AppSic for short, which hopes to do just this and improve the state of application security along the way. (Hear a conversation with the group's founding members at www.csoonline.com/podcasts.)
The consortium is not a whistle-blowing agency, says Ed Adams, CEO of Security Innovation. Rather, he adds, "We're building the whistle."
Scott Charney, VP of Trustworthy Computing of Microsoft and an AppSic member, says the group differs from other industry groups because it seeks to inform software purchasing decisions by comparing how applications perform against vulnerability tests. "It's very hard to quantify the return on investment you get when you invest in product A or product B," he says. "There's no really good way for me to identify how buying a certain product or doing a certain thing mitigates my risk in a way I can measure. And, you know, at the end of the day, what gets measured gets done."
An additional benefit of developing application security tests will be to improve the quality of software code that new programmers are developing, says Mary Ann Davidson, CSO of Oracle and an AppSic member. "One of my complaints is we have bright developers but we have to teach remedial coding because, in part, colleges don't prescribe secure coding practices," she says. "I don't know if there is any accreditation of computer science programs. From my perspective, if there is, it's pretty wussy."