Most businesses are still not doing enough to build and
buy securely written software, according to software developers
speaking at the RSA conference.
The problem stems partly from failing to ask basic questions
about how securely commercial software is written and from a
failure to train in-house software developers to write applications
with few vulnerabilities, said the Secure Software Forum, a group
founded to promote applications that resist attacks.
According to analyst firm Gartner, organisations are facing an
“enormous” threat, with 70% of business security vulnerabilities at
the application layer. In addition, 64% of in-house business
software developers admit they lack confidence that they can write
secure applications.
When buying commercial software for business applications,
corporate customers must find out what architectural procedures the
supplier followed and how stringently the software has been tested
for weaknesses that can be exploited, the panel insisted.
In addition, businesses should train their in-house application
developers in writing secure code. In practice, very few companies
actually do this, according to a survey of Fortune 1,000 companies
polled by the forum. Only 36% of those companies questioned educate
their software teams about security.
In a fast-moving world, some of this is pie-in-the-sky stuff.
The reason applications are insecure is that they are built too
quickly to meet business needs. Slow down the ‘we want it
yesterday’ mentality, and you might get applications with a chance
of being secure. As for finding what architectural procedures the
supplier followed, that’ll add an interesting question to the ITT
process.