The study polled 240 US and European companies. Almost one-fifth of them – 18% – put their losses at more than $500,000, while another 8% saw losses in excess of $1 million. Two reported losses of more than $10 million due to their software being compromised.
Nonetheless, many companies have yet to implement what Forrester calls secure development practices, most often citing typical developer pressures: the need for a quick time-to-market (41%), funding (71%), a lack of security tools (71%) and a lack of tools that can scale appropriately (79%).
Less than half (42%) of respondents follow secure coding guidelines, only 28% use a library of approved or banned functions and barely a quarter (26%) utilize threat modeling. Additionally, only 17% test during the development cycle, and more than half do not audit their code before integration testing.
Web application security is firmly off the radar screen for many developers for one other reason as well: a cultural one. Developers simply aren’t used to bothering themselves with security. “I recall a project I worked on a few years ago where I was tasked with overseeing the security of a website we were building,” said blogger Jeff Orloff, in the Developer Drive blog. “When I sat down with the chief programmer I wanted to discuss three types of vulnerabilities with him: cross-site scripting, SQL injection and information leakage. His response was simply, ‘I don’t know anything about this stuff and I don’t care. That’s your job.’”
Orloff goes on to say that while other web developers may be less abrupt the issue remains. “I have noticed that not many of them are aware of the different vulnerabilities that exist when it comes to web site development,” he said.
Forrester says that as companies grapple with a more sophisticated threat landscape, they will have no choice but to improve application security. If development does not integrate security into its practices from the earliest stages, addressing it later may not only be more expensive, but could be ineffective altogether.
“It’s clear that security practitioners and developers aren’t speaking the same language when it comes to application security, and this is leading to very costly consequences for companies,” said Jennifer Johnson, vice president of marketing at Coverity, which commissioned the study. “Application security begins and ends with development. Developers need to be part of the solution but the industry won’t solve the problem until security is incorporated into the development process with technologies and processes that developers can understand and adopt. Force-feeding development with legacy tools built for security teams just isn’t working.”