The report – 'the State of Secure Application Lifecycle Management' – from Creative Intellect Consulting, says the problem stems from a lack of investment in critical IT processes.
According to Creative Intellect, the report took in the results of a survey carried out in association with information security professional body (ISC)² and the International Association of Software Architects (IASA).
That survey, says the firm, took in data from 10,000 software development, IT and information security professionals around the world and found that key software security and quality processes are not being followed in many organisations,
Furthermore, says the report, despite many respondents carrying out reviews of their development and delivery processes, 59% of respondents are not following key security and quality processes sufficiently.
Twenty-six percent of respondents, meanwhile, said their organisation has little or no secure software development processes. And only 48% claimed to follow audit procedures rigorously.
Interestingly, however, 93% of those surveyed said that they followed change control processes within their business.
As you might expect, researchers found that compliance and regulation is now a key driver, with 66% of respondents saying these issues are now central to applying security to the software development lifecycle.
These factors were closely followed by corporate security and risk management strategy (56%) and new customer or business requirements (45%), highlighting that companies are beginning to enforce better behaviour on their suppliers and the business channel.
Twenty-eight percent of respondents, meanwhile, claimed that a top-down drive from management was behind increased focus on security, suggesting that in some organisations, management is aware of the problem and wants it fixed.
Commenting on the figures, Bola Rotibi, founder of Creative Intellect Consulting, said that, given the heightened awareness and focus on security in the last few years, it is surprising to see so few organisations embedding security tightly into the software delivery process.
"It is as much a lack of process as it is insecure code. It's time we stopped blaming developers, recognised that insecure software is the root of many cyber security challenges and demanded that management take control of the problem before it impedes organisations' ability to deliver new business-critical applications", she said.
Rotibi went on to say that she and her team would like to see organisations taking a multi-faceted approach to tackling the software security challenge.
'Secure by Design and Practice', she explained, should be the call to action adopted by organisations to address the software security challenge more directly.
John Colley, EMEA managing director of (ISC)², said that the report highlights significant gaps in key security and quality processes required to develop and deliver secure systems and software.
"It appears that there is a significant failure to assess the risks associated with not recognising the need for tight controls to deliver secure systems and software", he said.
"Even though the industry seems to have recognised the significance of following a change control process, lack of management support and investment for improving security across the software development lifecycle is preventing it from following the rigorous discipline required to deliver secure systems and software", he added.