Failure to take software security seriously is putting organisations, brands and people at risk, says software delivery analyst firm Creative Intellect Consulting in its inaugural report on the “State of Secure Application Lifecycle Management”.
In association with information security professional body (ISC)2 and the International Association of Software Architects (IASA), Creative Intellect conducted a survey of software development, IT and information security professionals around the world to inform its report.
Key highlights from the report included:
• Key software security and quality processes are not being followed.
Despite many respondents carrying out reviews of their development and delivery processes, 59 percent of respondents are not following key security and quality processes ‘rigorously’. 26 percent have little or no secure software development processes. Only 48 percent claim to follow audit procedures rigorously. Change control processes are followed by more than 93 percent of respondents, however.
• Managers are jeopardizing secure software delivery, but they are not alone.
When asked what was preventing respondents from improving security across the software delivery lifecycle, lack of management support and investment were cited by nearly two thirds of respondents as the key reason. 69 percent claimed not having the right culture, attitude and mindset were to blame, and 69 percent said not having appropriate processes was the culprit.
• There is a clear mandate for better education and training that cannot be ignored.
More than 57 percent of respondents claimed that a lack of education and training support hampered their ability to deliver secure software. Over 70 percent felt that there was insufficient security guidance for key technology models such as cloud, virtualization, mobile devices and mainframes.
• A mentality exists to invest in what we know.
More than half of respondents claimed that investment in Quality Assurance (QA) tool and process support would have the most impact on improving security across the software delivery lifecycle. Yet less than five percent blame QA for failing to detect bugs and issues. Creative Intellect advised that QA is the goalkeeper in the development process and should not be the primary investment focus.
• Compliance and regulation is a key driver
66 percent of respondents claimed compliance and regulation were key drivers for applying security to the software development lifecycle. These factors were closely followed by corporate security and risk management strategy (56 percent) and new customer or business requirements (45 percent), highlighting that companies are beginning to enforce better behaviour on their suppliers and the business channel.
Bola Rotibi, founder of Creative Intellect Consulting and a widely published expert in the area of software and application lifecycle management, claimed that “Given the heightened awareness and focus on security in the last few years, it is surprising to see so few organisations embedding security tightly into the software delivery process. It is as much a lack of process as it is insecure code. It’s time we stopped blaming developers, recognised that insecure software is the root of many cyber security challenges and demanded that management take control of the problem before it impedes organisations’ ability to deliver new business-critical applications.
“We’d like to see organisations taking a multi-faceted approach to tackling the software security challenge. ‘Secure by Design and Practice’ should be the call to action adopted by organisations to address the software security challenge more directly,” concluded Rotibi.
John Colley, CISSP, Managing Director EMEA, (ISC)2 said, “This report highlights significant gaps on following key security and quality processes required to develop and deliver secure systems and software. It appears that there is a significant failure to assess the risks associated with not recognizing the need for tight controls to deliver secure systems and software. Even though the industry seems to have recognized the significance of following a change control process, lack of management support and investment for improving security across the software development lifecycle is preventing it from following the rigorous discipline required to deliver secure systems and software.”
The 2011 (ISC)2 Global Information Security Workforce Study announced last week also found that application vulnerabilities represented the number one threat to organisations.
“All too often, software delivery is compromised by unrealistic demands and a lack of rigour around the process, as this report highlights. It is one thing to architect a solution that is robust and secure but an entirely different thing to deliver it. Architecture is pivotal not just at systems design but right throughout the lifecycle into operations. Security is one highly important quality attribute among many that need to be preserved and professionally qualified architects hold the key,” says Matt Deacon, Chairman of IASA UK. "This report highlights the need for security issues to be addressed from the outset."