Baby steps toward an SDL are not enough Large organizations are buying next-generation firewalls, advanced malware detection/prevention systems, encryption software, and new types of security analytics tools. On balance, this is a good thing as they add more layers of defense to networks and host computers. Yet with all of this activity, many organizations continue to neglect their software security. Yes, they are installing web application firewalls (WAFs), but they tend to eschew a more fundamental problem: Many firms continue to develop insecure software.As an example, here are a few of the findings and conclusions from a recent State of Software Security Report from secure development leader Veracode: 1. When Veracode tested, more than half of all applications failed to meet acceptable security quality, and more than 8 out of 10 web applications failed OWASP Top 10.2. Most developers are in dire need of additional application security training and knowledge. 3. The software industry, including security products and services, have significant gaps in their security posture.Addressing software security requires more than a few testing suites or a WAF. What’s really needed is a software security development lifecycle (SDL) that injects security into the entire development process. Microsoft gets this. After the now famous “Trustworthy Computing” memo from Bill Gates in 2002, Microsoft developed and formalized its SDL, and since 2004, all new software must go through its SDL process as a standard operating procedure. While Microsoft established and publicized its SDL, most enterprises haven’t followed Redmond’s lead. According to a recent ESG Research survey, only 34% of enterprise organizations (i.e. more than 1,000 employees) have adopted an SDL process. ESG also analyzed this data across a segmentation model that divided the entire survey population into three groups: leaders, followers, and laggards. Based upon this segmentation, 37% of leaders have established an SDL, 35% of followers have established an SDL, and 31% of laggards have established an SDL. These results are both surprising and alarming — organizations that are normally proactive and diligent with their security practices continue to disregard secure software development. Bad guys know about the poor state of software security, which is why they’ve become so adept at compromising websites, bypassing security controls, and ultimately stealing your data. As a result, insecure software impacts all of us. It’s time to truly address this problem. Related content analysis 5 things security pros want from XDR platforms New research shows that while extended detection and response (XDR) remains a nebulous topic, security pros know what they want from an XDR platform. By Jon Oltsik Jul 07, 2022 3 mins Intrusion Detection Software Incident Response opinion Bye-bye best-of-breed? ESG research finds that organizations are increasingly integrating security technologies and purchasing multi-product security platforms, changing the industry in the process. By Jon Oltsik Jun 14, 2022 4 mins Security Software opinion SOC modernization: 8 key considerations Organizations need SOC transformation for security efficacy and operational efficiency. Technology vendors should come to this year’s RSA Conference with clear messages and plans, not industry hyperbole. By Jon Oltsik Apr 27, 2022 6 mins RSA Conference Security Operations Center opinion 5 ways to improve security hygiene and posture management Security professionals suggest continuous controls validation, process automation, and integrating security and IT technologies. By Jon Oltsik Apr 05, 2022 4 mins Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe