There seems to be a correlation between the size of the company and the degree of concern, indicating greater concern over proprietary software development (more prevalent in larger companies) than commercial applications (more prevalent in smaller companies). Overall, insecure software is a contributor in about one-third of all attacks.
The problem lies in an apparent disconnect between the functions of software development (and procurement) and corporate security. The study of 12,000 security professionals around the world by (ISC)², Booz Allen Hamilton and Frost & Sullivan shows that only 21% are involved in internal software development, 20% in its procurement, and only 10% in outsourcing. Since this disconnect is understood and accepted, it is concerning that it isn’t being adequately addressed.
The biggest single material cause would seem to be a lack of staff – around half of employers accept that their security teams are understaffed. But corporate culture must also accept part of the blame. “Organizations realize the potential ramifications of not addressing application security concerns; however, most fail to adequately address them,” commented Michael Suby, Stratecast VP of Research at Frost & Sullivan and author of the report. “Cyber security professionals have a duty to anticipate and remedy vulnerabilities as they arise, but the development community must meet them in the middle and take security concerns more seriously. Without this partnership,” he adds, “we will see more and more successful attacks that could have devastating effects.”
W. Hord Tipton, executive director of (ISC)², agrees that security must come out of its silo and permeate the entire corporate structure. “Deepening engagements in software development cannot occur in isolation or be the exclusive responsibility of the information security workforce.” he says. “Other relevant functional groups – software developers, application owners, and the quality assurance and testing teams – must also internalize secure software development best practices and engage with information security professionals on a regular basis.”
“The conclusion is apparent,” says the study: “unless software and information security professionals’ involvement is deepened in secure software development, procurement, and outsourcing; and training and education permeates the ranks of software development functions, the risks associated with insecure software will remain.”