• United States



Contributing Writer

Software Development: Still Lacking Strong Security

Jul 27, 20122 mins
Cisco SystemsCybercrimeData and Information Security

Baby steps toward an SDL are not enough

Large organizations are buying next-generation firewalls, advanced malware detection/prevention systems, encryption software, and new types of security analytics tools. On balance, this is a good thing as they add more layers of defense to networks and host computers. 

Yet with all of this activity, many organizations continue to neglect their software security. Yes, they are installing web application firewalls (WAFs), but they tend to eschew a more fundamental problem: Many firms continue to develop insecure software.As an example, here are a few of the findings and conclusions from a recent State of Software Security Report from secure development leader Veracode: 

1. When Veracode tested, more than half of all applications failed to meet acceptable security quality, and more than 8 out of 10 web applications failed OWASP Top 10.

2. Most developers are in dire need of additional application security training and knowledge.

3. The software industry, including security products and services, have significant gaps in their security posture.

Addressing software security requires more than a few testing suites or a WAF. What’s really needed is a software security development lifecycle (SDL) that injects security into the entire development process. Microsoft gets this. After the now famous “Trustworthy Computing” memo from Bill Gates in 2002, Microsoft developed and formalized its SDL, and since 2004, all new software must go through its SDL process as a standard operating procedure.

While Microsoft established and publicized its SDL, most enterprises haven’t followed Redmond’s lead. According to a recent ESG Research survey, only 34% of enterprise organizations (i.e. more than 1,000 employees) have adopted an SDL process. ESG also analyzed this data across a segmentation model that divided the entire survey population into three groups:  leaders, followers, and laggards. Based upon this segmentation, 37% of leaders have established an SDL, 35% of followers have established an SDL, and 31% of laggards have established an SDL. These results are both surprising and alarming — organizations that are normally proactive and diligent with their security practices continue to disregard secure software development. 

Bad guys know about the poor state of software security, which is why they’ve become so adept at compromising websites, bypassing security controls, and ultimately stealing your data. As a result, insecure software impacts all of us. It’s time to truly address this problem.

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author