Failure to invest in secure software a major risk

Failure to take software security seriously is putting organizations, brands and people at risk, according to a report by Creative Intellect Consulting.

Key highlights from the report included:

Key software security and quality processes are not being followed
Despite many respondents carrying out reviews of their development and delivery processes, 59 percent of respondents are not following key security and quality processes “rigorously’. Twenty-six percent have little or no secure software development processes. Only 48 percent claim to follow audit procedures rigorously. Change control processes are followed by more than 93 percent of respondents, however.

Managers are jeopardizing secure software delivery, but they are not alone
When asked what was preventing respondents from improving security across the software delivery lifecycle, lack of management support and investment were cited by nearly two-thirds of respondents as the key reason. Sixty-nine percent claimed not having the right culture, attitude and mindset were to blame, and 69 percent said not having appropriate processes was the culprit.

There is a clear mandate for better education and training that cannot be ignored
More than 57 percent of respondents claimed that a lack of education and training support hampered their ability to deliver secure software. Over 70 percent felt that there was insufficient security guidance for key technology models such as cloud, virtualization, mobile devices and mainframes.

A mentality exists to invest in what we know
More than half of respondents claimed that investment in Quality Assurance (QA) tool and process support would have the most impact on improving security across the software delivery lifecycle. Yet less than five percent blame QA for failing to detect bugs and issues. Creative Intellect advised that QA is the goalkeeper in the development process and should not be the primary investment focus.

Compliance and regulation is a key driver
Sixty-six percent of respondents claimed compliance and regulation were key drivers for applying security to the software development lifecycle. These factors were closely followed by corporate security and risk management strategy (56 percent) and new customer or business requirements (45 percent), highlighting that companies are beginning to enforce better behavior on their suppliers and the business channel.

John Colley, CISSP, Managing Director EMEA, (ISC)2 said, “This report highlights significant gaps on following key security and quality processes required to develop and deliver secure systems and software. It appears that there is a significant failure to assess the risks associated with not recognizing the need for tight controls to deliver secure systems and software. Even though the industry seems to have recognized the significance of following a change control process, lack of management support and investment for improving security across the software development lifecycle is preventing it from following the rigorous discipline required to deliver secure systems and software.”