Awareness of the importance of application security has jumped
significantly in just a few years, and it is top of mind for the
majority of those surveyed recently by Symantec. But the
implementation of secure coding practices, as well as formal
education, still have a way to go, according to the survey
results.
Among the 400 U.S.-based software developers surveyed by Applied
Research on behalf of Symantec, 93% indicated that secure
application development is more of a priority now than three years
ago.
"That's an overwhelming number, and it fits with what I'm seeing
in the field. Pretty much everyone, regardless of what they thought
three years ago, thought it was a bigger deal now," said
Brad Arkin, senior manager of Symantec Security Learning
Services. "They are either now focused on it and working hard to
fix the problem, or they're aware and know they need to address
it."
In fact, according to the survey, 35% of respondents cite
security as their number one priority, while 39% rank it number
two.
The big driver for this change in awareness is the threat
landscape, Arkin said. "Our threat report has shown a trend that
application security vulnerabilities are increasing and growing
faster than any other category of vulnerability. The bad guys out
there are taking the path of least resistance."
For most organisations today, he said, "operating systems are
configured correctly, they've got good network firewalls, so the
application becomes the weakest point. And it's where the bad guys
are spending their energy."
 | | | | | It's great the numbers are
higher, but we're still not getting the coverage we need to protect
sensitive data and applications.
Brad Arkin
Senior managerSymantec Security Learning
Services |
| | | | | |
| |
|
Arkin noted that in addition to increasing vulnerabilities,
changes in the regulatory environment are also driving awareness.
Today, he said, "if you have a data security breach you need to
inform your customers. In the past, your company might've been able
to tuck it away. Because of changes in the regulatory environment,
organisations are proactively saying, 'What can we do to make sure
we do not end up in the newspaper?'"
Along with increasing awareness, corporate commitment to
application security is on the rise. When asked to what degree do
business leaders and senior staff consider security to be a
priority, on a scale of 1 to 5, 23% of respondents indicate that
security is a top priority (1), while 37% weight it as a 2.
However, time-to-market pressures still loom large as a barrier
to corporate commitment. For example, only 12% of respondents say
security always takes priority compared with meeting competitive
deadlines, and another 30% say security usually takes priority. For
another 30% of respondents, security and deadline pressures are
about equal, while for 12% competitive pressures always take
priority.
And building security into the software development life cycle
is still not a given at most organisations. Only 29% of respondents
say security is always part of the development process.
When vulnerabilities in code are found, 63% of respondents
utilise a process to remediate vulnerabilities only some of the
time, 30% always remediate vulnerabilities, and 7% never do. And
while 65% of respondents include security testing as part of the QA
process, Arkin said that seems high based on his experience.
"A lot of organisations may have good intentions about security
testing, but it comes down to they don't know how or there are not
enough people, so it may get pushed aside," he said.
Security training important
But organisations are showing a commitment to security training.
According to the survey, 68% of respondents indicated that their
employer emphasised or required continuing education around secure
coding, while 32% said their employers do not.
"The good news is that ongoing education and training are being
promoted," Arkin said. "The majority of organisations are pushing
it and making it available, whether through formal [programs] or
on-the-job training. In our experience [application security]
requires a steady, consistent education program. It gives me a good
feeling that the tide is turning and organisations are starting to
take the right steps to address the problem."
But consistent, formalised education in secure coding is still
lacking throughout the industry. On-the-job security training is
the most common method, according to 66% of respondents. Just 40%
have received formal training by their employers, and 11% have
received no training. And only 27% have received training in secure
coding as part of their undergraduate education.
According to Arkin, the survey results present a good news/bad
news scenario. "The good news is there's progress, but the bad
news, or the flip side, is we're not there yet. It's great the
numbers are higher, but we're still not getting the coverage we
need to protect sensitive data and applications."