Around 37% of those surveyed believe that the first priority for improving security across the software delivery lifecycle is training and education, and 33% believe it should be a top priority of their organizations to address culture, attitudes, and mindsets about software security.
“When the majority of information security professionals who have at least some oversight over the software development lifecycle are seeking more training and guidance, managers need to take heed,” said W. Hord Tipton, executive director of (ISC)². “In light of the industry’s dependence on Web applications and its rapid migration to virtual and mobile environments, senior management must gain awareness of the grave risks involved with insecure software and create a culture that inspires education for all those involved in the software development lifecycle."
A majority of respondents said their organization had at least four employees dedicated to ensure security through the software development lifecycle.
Glenn Johnson, a senior certification consultant for (ISC)², told Infosecurity that the need for information and training about security over the software development lifecycle was a clear takeaway from the survey.
Johnson said that security personnel should create a security checklist. They should ask, for example, “Am I meeting the requirements of NIST [National Institute for Standards and Technology] for secure coding?” In addition, the (ISC)² certified secure software lifecycle professional (CSSLP) certification is a “blueprint” for software development lifecycle policies and procedures that would deliver software that is less vulnerable, he said.
The need for security training and guidance is especially acute for new technologies, such as virtualization and cloud computing: 78% of respondents said their organizations have plans to use virtualization and 48% said their organization plans to use cloud computing. Regarding the security impact of these technologies, 24% of respondents said they needed security guidance on cloud computing, and 16% said they needed it for software-as-a-service platforms.
“These new technologies open up an opportunity for vulnerability….Does the cloud platform adhere to the same security practices and principles that you hold as an organization? That gives you new security prerequisites to require of a vendor that is providing you with these services,” he said. “Are third parties using the same security steps and policies that you are using to create a secure product? This will determine who you select as a cloud-based vendor and a virtual platform provider.”
Mobile devices also pose additional security risks for government agencies and contractors. “Any time you have a laptop or cell phone…that creates an amazing plethora of vulnerabilities that most of your larger organizations have tried to prevent as much as possible from happening….We don’t know if the applications operating on those mobile devices were developed with secure practices. If they weren’t, this opens up a portal to access your system.” Insecure applications for mobile phones are the “weakest link” in the security chain, Johnson observed.
Johnson cited that 100% of those surveyed believe that insecure software presents a significant threat to the federal government. He concluded that the “need for education about software security is imperative”.