Execs out of sync with staff on app safety: Vendor


It’s long been alleged that executives are often out of touch with their staff.

A new survey on application security claims to verify that, say its authors.

The survey of 642 IT professionals done for Security Innovations, a Massachusetts-based consulting firm that specializes in application security training, found that executives are more optimistic than their programmers that app developers follow procedures to ensure code is not only efficient but also secure.

When asked if their organization’s application security program is mature, 67 per cent of executives; 64 per cent of directors and 58 per cent of managers agreed or strongly agreed. By contrast 47 per cent of supervisors, 27 per cent of technicians and 33 per cent of other staff answered positively.

Other findings were similar, said Security Innovations CEO Ed Adams.

“I would classify a lot of the executives that participated in this study as not knowing what the hell’s going on at all in their software development teams with respect to security,” he said in an interview. “It was an interesting but very distributing kind of finding.”

The survey of 20 questions was conducted by the Ponemon Institute, a market research firm, and was a follow-up to a survey done last year. Part of the goal was to find out how organizations rate on a scale Security Innovations has created ranking the depth of processes to ensure apps they create are secure.

But some of the answers make institute chair Larry Ponemon conclude that “people at the high end tend to have a rosier picture of application security development process. “In essence they thought things were better that the rank and file.”

Among the findings: Only 43 per cent or respondents agreed or strongly agreed their organization has a defined software development process in place. Of that group, 69 per cent agreed or strongly agreed the organization actually followed that process — the rest were either unsure or disagreed.

Only 42 percent say their organizations subject applications to manual penetration testing

by internal teams or by a third party. Less than half use automated scanning tools to test apps during development, or to test apps for vulnerabilities after release.

There have been so many “blatant and horrific data breaches” recently that for organizations not to performance security testing on their software apps, which Adams said is the biggest source of data breaches also “mindboggling” But almost 60 per cent of respondents said their companies don’t use automated scanning tools he said. “It’s almost like the industry is asking for more hacks and data breaches.”

Meanwhile, added Ponemon, organizations spend more money on perimeter control products, like intrusion detection and firewalls.

“It’s exacerbated by the fact that the majority of universities still do not teach (students) how to write secure code,” said Adams. ” That’s long been a wound that universities have not resolved. So its incumbent on corporations and employers to train their development staff on how to write secure code. I know A lot of them refuse to do it.”

More than half of respondents said their organization don’t have a formal security training program in place for their development teams, Adams complained the survey shows. o its difficult to ask a developer or architect to write secure code or chose security design elements if they’re not trained. They won’t know how.

When it was suggested organizations assume developers to know how to write secure code, so training isn’t needed, he disagreed. “It is a specific skill that needs to be taught.”

“I don’t think orgs are asking ‘can you write secure code,’ because I don’t think its on their radar.” This survey proves it

Adams acknowledged that his company does have a vested interest in the survey because it wants people to get smarter about application security. However, he added, it didn’t influence the responses.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now