Large organizations are buying next-generation firewalls, advanced malware detection/prevention systems, encryption software, and new types of security analytics tools. On balance, this is a good thing as they add more layers of defense to networks and host computers.
Yet with all of this activity, many organizations continue to neglect their software security. Yes, they are installing web application firewalls (WAFs) but they tend to eschew a more fundamental problem: Many firms continue to develop insecure software. As an example, here are a few of the findings and conclusions from a recent State of Software Security Report from secure development leader Veracode:
- When Veracode tested, more than half of all applications fail to meet acceptable security quality, and more than 8 out of 10 web applications fail OWASP Top 10.
- Most developers are in dire need of additional application security training and knowledge.
- The software industry, including security products and services, have significant gaps in their security posture.
Addressing software security requires more than a few testing suites or a WAF. What's really needed is a software security development lifecycle (SDL) that injects security into the entire development process. Microsoft gets this. After the now famous "Trustworthy Computing" memo from Bill Gates in 2002, Microsoft developed and formalized its SDL and since 2004, all new software must go through its SDL process as a standard operating procedure.
While Microsoft established and publicized its SDL, most enterprises haven't followed Redmond's lead. According to a recent ESG Research survey, only 34% of enterprise organizations (i.e., more than 1,000 employees) have adopted an SDL process. ESG also analyzed this data across a segmentation model that divided the entire survey population into 3 groups: leaders, followers, and laggards. Based upon this segmentation, 37% of leaders have established an SDL, 35% of followers have established an SDL, and 31% of laggards have established an SDL. These results are both surprising and alarming -- organizations that are normally proactive and diligent with their security practices continue to disregard secure software development (see this ESG Research Brief, Best Practices for Secure Software Development, for more information).
Bad guys know about the poor state of software security which is why they've become so adept at compromising web sites, bypassing security controls, and ultimately stealing your data. As a result, insecure software impacts all of us. It's time to truly address this problem.