Survey: Security Processes Lacking in Corporate Application Development
- By Chris Paoli
- March 7, 2011
According to a report by Creative Intellect Consulting, 59 percent of enterprise development teams are not following quality and security processes "rigorously" when developing new software.
The U.K.-based research and consulting firm's study, titled "State of Secure Application Lifecycle Management," surveyed more than 170 corporate application developers, architects, security professionals and IT pros on the state of their enterprises' secure software code delivery and lifecycle management procedures. The firm found that only 48 percent of respondent's security procedures were acceptable.
"Given the heightened awareness and focus on security in the last few years, it is surprising to see so few [organizations] embedding security tightly into the software delivery process," wrote Bob Rotibi, founder of Creative Intellect Consulting, in a press release. "It is as much a lack of process as it is insecure code."
The study found that over a quarter of respondents fall into the "lack of process" category. Twenty six percent surveyed said that not only do they not follow secure development processes, but their organizations do not evaluate and test security software before purchasing.
When asked why procedures were either lacking or non existent, respondents pointed to the lack of investment and little support from management as the two main factors in their enterprises' security holes.
Giving some insight into why this was the report stated that, "Businesses do not do what management doesn't support. Too often management view investment in securing the software delivery process as a cost that they don't, necessarily, see a related profit from."
However, the margin in profit in securing business software and applications comes in the form of decreased losses. A press release discussing the survey pointed to a recently released U.K. government report that said U.K. companies lose £27 billion (about $43.8 billion in U.S. dollars) a year to security application breaches. Creative Intellect Consulting said that upfront development and design processes, along with timely deployment, will help to lower these costs.
According to the report, education is the key factor in improving security protocols -- from informing managers on the importance of updating to giving teams resources to properly implement procedures. More than 57 percent of survey respondents pointed to the fact that the lack of education and training hurt in the delivery of secure software. 70 percent also felt a lack of guidance in security procedures concerning new tech issues (cloud, virtualization, mainframes and mobile devices).
Pointing to the only positive finding from the survey, Creative Intellect Consulting said that "some good progress has been made with encouraging support for key process practices that can both strengthen and promote the delivery of secure software."