Application security more of a priority, but practices still lag

A survey by Symantec has found more software developers consider application security a priority, but formal education and implementation of secure coding practices still trails.

Awareness of the importance of application security has jumped significantly in just a few years, and it is top of mind for the majority of those surveyed recently by Symantec. But the implementation of secure coding practices, as well as formal education, still have a way to go, according to the survey results.

Among the 400 U.S.-based software developers surveyed by Applied Research on behalf of Symantec, 93% indicated that secure application development is more of a priority now than three years ago.

"That's an overwhelming number, and it fits with what I'm seeing in the field. Pretty much everyone, regardless of what they thought three years ago, thought it was a bigger deal now," said Brad Arkin, senior manager of Symantec Security Learning Services. "They are either now focused on it and working hard to fix the problem, or they're aware and know they need to address it."

In fact, according to the survey, 35% of respondents cite security as their number one priority, while 39% rank it number two.

The big driver for this change in awareness is the threat landscape, Arkin said. "Our threat report has shown a trend that application security vulnerabilities are increasing and growing faster than any other category of vulnerability. The bad guys out there are taking the path of least resistance."

For most organisations today, he said, "operating systems are configured correctly, they've got good network firewalls, so the application becomes the weakest point. And it's where the bad guys are spending their energy."

It's great the numbers are higher, but we're still not getting the coverage we need to protect sensitive data and applications.
Brad Arkin
Senior managerSymantec Security Learning Services

Arkin noted that in addition to increasing vulnerabilities, changes in the regulatory environment are also driving awareness. Today, he said, "if you have a data security breach you need to inform your customers. In the past, your company might've been able to tuck it away. Because of changes in the regulatory environment, organisations are proactively saying, 'What can we do to make sure we do not end up in the newspaper?'"

Along with increasing awareness, corporate commitment to application security is on the rise. When asked to what degree do business leaders and senior staff consider security to be a priority, on a scale of 1 to 5, 23% of respondents indicate that security is a top priority (1), while 37% weight it as a 2.

However, time-to-market pressures still loom large as a barrier to corporate commitment. For example, only 12% of respondents say security always takes priority compared with meeting competitive deadlines, and another 30% say security usually takes priority. For another 30% of respondents, security and deadline pressures are about equal, while for 12% competitive pressures always take priority.

And building security into the software development life cycle is still not a given at most organisations. Only 29% of respondents say security is always part of the development process.

When vulnerabilities in code are found, 63% of respondents utilise a process to remediate vulnerabilities only some of the time, 30% always remediate vulnerabilities, and 7% never do. And while 65% of respondents include security testing as part of the QA process, Arkin said that seems high based on his experience.

"A lot of organisations may have good intentions about security testing, but it comes down to they don't know how or there are not enough people, so it may get pushed aside," he said.

Security training important
But organisations are showing a commitment to security training. According to the survey, 68% of respondents indicated that their employer emphasised or required continuing education around secure coding, while 32% said their employers do not.

"The good news is that ongoing education and training are being promoted," Arkin said. "The majority of organisations are pushing it and making it available, whether through formal [programs] or on-the-job training. In our experience [application security] requires a steady, consistent education program. It gives me a good feeling that the tide is turning and organisations are starting to take the right steps to address the problem."

Secure software best practices
App security defence in depth: Strategies to lock down your Web apps

Keep the bad guys out: Build security into the SDLC

Best practices for secure code

But consistent, formalised education in secure coding is still lacking throughout the industry. On-the-job security training is the most common method, according to 66% of respondents. Just 40% have received formal training by their employers, and 11% have received no training. And only 27% have received training in secure coding as part of their undergraduate education.

According to Arkin, the survey results present a good news/bad news scenario. "The good news is there's progress, but the bad news, or the flip side, is we're not there yet. It's great the numbers are higher, but we're still not getting the coverage we need to protect sensitive data and applications."

Read more on IT risk management