The study interviewed development, security and risk professionals across the US & UK, and confirmed that risk associated with insecure software is a very real concern and a top priority for management and developers alike.
The survey of nearly 200 businesses, found that more than 62% of organizations have experienced a security breach in the past 12 months due to exploitation of vulnerabilities in their critical software applications. The study also found that while companies feel they know the make-up and business criticality of their mixed application portfolios, there is little confidence in the security quality of their applications.
Other key findings:
- Few companies know the security quality of business critical applications.Only 13% of respondents know the security quality of all their business applications which they deem critical to the enterprise
- Enterprises are increasing scrutiny on ISVs and outsourcers for delivering secure code.60% of respondents stated they are actively incorporating (or have already adopted) third party security assessments as part of software procurement processes for COTS or outsourced code.
- Security as part of the software development process is not widely practiced.Only 34% of companies have a comprehensive SDLC process which integrates application security.
- Most enterprises lack formal secure development training programs.57% of organizations don‚Äôt have systematic training programs addressing application security training for their developers.
- Security spending is not immune to economic conditions.64% of respondents stated that while application security is important to them, they are struggling to meet the challenge on existing budgets.