Survey shows management more optimistic than developers that company-created applications are secure. The problem, says the study’s sponsor, is lack of training
It’s long been alleged that executives are often out of touch with their staff.
A new survey on application security claims to verify that, say its authors.
The survey of 642 IT professionals done for Security Innovations, a Massachusetts-based consulting firm that specializes in application security training, found that executives are more optimistic than their programmers that app developers follow procedures to ensure code is not only efficient but also secure.
When asked if their organization’s application security program is mature, 67 per cent of executives; 64 per cent of directors and 58 per cent of managers agreed or strongly agreed. By contrast 47 per cent of supervisors, 27 per cent of technicians and 33 per cent of other staff answered positively.
Other findings were similar, said Security Innovations CEO Ed Adams.
“I would classify a lot of the executives that participated in this study as not knowing what the hell’s going on at all in their software development teams with respect to security,” he said in an interview. “It was an interesting but very distributing kind of finding.”
The survey of 20 questions was conducted by the Ponemon Institute, a market research firm, and was a follow-up to a survey done last year. Part of the goal was to find out how organizations rate on a scale Security Innovations has created ranking the depth of processes to ensure apps they create are secure.
But some of the answers make institute chair Larry Ponemon conclude that “people at the high end tend to have a rosier picture of application security development process. “In essence they thought things were better that the rank and file.”
Among the findings: Only 43 per cent or respondents agreed or strongly agreed their organization has a defined software development process in place. Of that group, 69 per cent agreed or strongly agreed the organization actually followed that process — the rest were either unsure or disagreed.
Only 42 percent say their organizations subject applications to manual penetration testing
by internal teams or by a third party. Less than half use automated scanning tools to test apps during development, or to test apps for vulnerabilities after release.
There have been so many “blatant and horrific data breaches” recently that for organizations not to performance security testing on their software apps, which Adams said is the biggest source of data breaches also ”mindboggling” But almost 60 per cent of respondents said their companies don’t use automated scanning tools he said. “It’s almost like the industry is asking for more hacks and data breaches.”
Meanwhile, added Ponemon, organizations spend more money on perimeter control products, like intrusion detection and firewalls.
“It’s exacerbated by the fact that the majority of universities still do not teach (students) how to write secure code,” said Adams. ” That’s long been a wound that universities have not resolved. So its incumbent on corporations and employers to train their development staff on how to write secure code. I know A lot of them refuse to do it.”
More than half of respondents said their organization don’t have a formal security training program in place for their development teams, Adams complained the survey shows. o its difficult to ask a developer or architect to write secure code or chose security design elements if they’re not trained. They won’t know how.
When it was suggested organizations assume developers to know how to write secure code, so training isn’t needed, he disagreed. “It is a specific skill that needs to be taught.”
“I don’t think orgs are asking ‘can you write secure code,’ because I don’t think its on their radar.” This survey proves it
Adams acknowledged that his company does have a vested interest in the survey because it wants people to get smarter about application security. However, he added, it didn’t influence the responses.