Failure to take software security seriously is putting organizations, brands and people at risk, says software delivery analyst firm Creative Intellect Consulting in its inaugural report on the “State of Secure Application Lifecycle Management.”
The report highlights the disconnect between secure software policy and implementation, begging the question as to whether organizations are really ready and able to deliver secure software targeting technologies such as cloud computing and mobile delivery platforms.
In association with information security professional body (ISC)2® and the International Association of Software Architects (IASA), Creative Intellect conducted a survey of software development, IT and information security professionals around the world to develop its report. This slideshow highlights key findings from the report.
Click through for highlights from a Creative Intellect Consulting survey on secure application lifecycle management.
Key software security and quality processes are not being followed.
Despite many respondents carrying out reviews of their development and delivery processes, 59 percent of respondents are not following key security and quality processes ‘rigorously’. Twenty-six percent have little or no secure software development processes. Only 48 percent claim to follow audit procedures rigorously. Change control processes are followed by more than 93 percent of respondents, however.
Managers are jeopardizing secure software delivery, but they are not alone.
When asked what was preventing respondents from improving security across the software delivery lifecycle, lack of management support and investment were cited by nearly two-thirds of respondents as the key reason. Sixty-nine percent claimed not having the right culture, attitude and mindset were to blame, and 69 percent said not having appropriate processes was the culprit.
There is a clear mandate for better education and training that cannot be ignored.
More than 57 percent of respondents claimed that a lack of education and training support hampered their ability to deliver secure software. Over 70 percent felt that there was insufficient security guidance for key technology models such as cloud, virtualization, mobile devices and mainframes.
A mentality exists to invest in what we know.
More than half of respondents claimed that investment in quality assurance (QA) tool and process support would have the most impact on improving security across the software delivery lifecycle. Yet less than five percent blame QA for failing to detect bugs and issues. Creative Intellect advised that QA is the goalkeeper in the development process and should not be the primary investment focus.
Compliance and regulation is a key driver.
Sixty-six percent of respondents claimed compliance and regulation were key drivers for applying security to the software development lifecycle. These factors were closely followed by corporate security and risk management strategy (56 percent) and new customer or business requirements (45 percent), highlighting that companies are beginning to enforce better behavior on their suppliers and the business channel.