Update Annual reports are very selective with the truth.md

content/21.From-Audio/to-fix-transcription/Misc/Annual Reports are Very Selective with the Truth.md

@@ -0,0 +1,19 @@
+### Annual reports are very selective with the truth
+
+Most companies' annual reports are selective with the truth when it comes to reporting on application security. This is a problem because information doesn't get exposed, and security teams can't leverage the information to push for the right decisions.
+
+One of the biggest benchmarks a company has is its annual report, so if the annual report doesn't take application security into account, the company has no incentive to invest in technology, or take technology seriously.
+
+I have seen many annual reports that have risk sections that contain all sorts of detailed information about risk, but don't mention application security. This is astonishing when you consider that most business runs on top of applications, websites, technology, and software.
+
+Let's look at what happens if a product loses one of its key developers. If that person no longer works at the company, a big problem can arise. The absence of that developer means the company just lost the ability to understand one of the key parts of its work.
+
+AppSec isn't like other engineering practices where even if you lose some key individuals there will be very detailed argumentation and workflows to assist with the replication of the knowledge that has left the practice. AppSec doesn't work like that. Most software is black boxes, and there are very few people who understand how it works. If one of those experts leaves, their knowledge leaves with them, and this is a big problem. 
+
+If an AppSec expert leaves a company, the annual report should mention this information. In fact, the annual report should contain the names of the key developers who understand the application and how things work. Their loss to a company, if they aren't replaced by someone with the same skill and capabilities, is something that should be highlighted because it signals a warning to the company on future product development.
+
+If a company loses expert individuals, it means it can't make changes. It means a team might struggle to understand how a particular piece of code works. Consequently, the team is going to be very cautious in making any changes.
+
+Development can grind to a halt. This explains why some products seem to be stuck in time and don't change. Because if those products get to the point where making any change is a big deal, if you don't have a very strong test read, it is a high-risk exercise. 
+
+This kind of information needs to be captured in the annual reports so that the investors can make better informed decisions.