Perhaps one answer could be because organisations have a polarised response to secure development; some will wholeheartedly embrace it and dynamically alter their approach to business processes and controls, whilst others will be blinkered, rejecting it as a costly exercise, too difficult to implement successfully.
Typically an organisation's culture has largely determined whether a program of secure development has been implemented. Organisations that possess conventional cultures usually present the most resistance to any sort of change implementation, let alone security. Their environments are dogmatic and strictly compartmentalised along departmental boundaries. They are comfortable leaving the software development process as it is - systematically separated out into planning, design, testing and implementation; addressing the security aspect of the project at the 11th hour or worse still, once projects have gone live. Organisations such as these remain culturally static until they are driven by a new business need or are subjected to a compelling event.
Whilst an organisation’s culture can’t be changed overnight, there are some organisations that have moved into a more proactive mode and successfully adopted secure development integration. Their achievements have resulted from assuming a culture of shared beliefs, values and behaviours. And, their environments are filled with positive change enforcement.
For example, they educate their personnel in the benefits of early secure development implementation. Thus Project Leaders and their Managers promote a team atmosphere where work is produced as defect-free as possible before being passed to the next development stage or to the customer. By encouraging a level of mutual respect they have overcome the suspicion and opposition that software engineers have had of security auditors - the party responsible for identifying vulnerabilities and weaknesses within their software. Consequently as problems found are seen to be with the product and not the producers each participant is receptive to suggestions for improvement and progress occurs more quickly. Operating in this manner also provides the opportunity for knowledge share; by establishing effective forums less experienced team members are able to increase their learning while still making useful contributions. Ultimately though, they recognise that spending the time on quality activities up front will save time for the whole organisation in the long run, as well as increasing customer satisfaction by releasing cleaner products in version 1.0.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.