Most businesses are still not doing enough to build and buy securely written software, according to software developers speaking at the RSA conference.
The problem stems partly from failing to ask basic questions about how securely commercial software is written and from a failure to train in-house software developers to write applications with few vulnerabilities, said the Secure Software Forum, a group founded to promote applications that resist attacks.
According to analyst firm Gartner, organisations are facing an “enormous” threat, with 70% of business security vulnerabilities at the application layer. In addition, 64% of in-house business software developers admit they lack confidence that they can write secure applications.
When buying commercial software for business applications, corporate customers must find out what architectural procedures the supplier followed and how stringently the software has been tested for weaknesses that can be exploited, the panel insisted.
In addition, businesses should train their in-house application developers in writing secure code. In practice, very few companies actually do this, according to a survey of Fortune 1,000 companies polled by the forum. Only 36% of those companies questioned educate their software teams about security.
In a fast-moving world, some of this is pie-in-the-sky stuff. The reason applications are insecure is that they are built too quickly to meet business needs. Slow down the ‘we want it yesterday’ mentality, and you might get applications with a chance of being secure. As for finding what architectural procedures the supplier followed, that’ll add an interesting question to the ITT process.