Application vulnerabilities topped the list of security concerns among respondents in a recent survey from (ISC)2, the world's largest nonprofit body of information security professionals. With software security serving as a critical component in protecting against contemporary cyber threats, vendors need to work on implementing more secure development processes, according to researchers.
In the survey of 12,000 information security professionals, conducted in conjunction with Booz Allen Hamilton and Frost & Sullivan, (ISC)2 found that 69 percent considered application vulnerabilities a top or high threat concern. In the 60 percent of detected security breaches with an attributable cause, approximately one-third were a result of insecure software. Despite the importance of and interest in protecting applications, however, security expert involvement in the coding process is generally limited.
"Secure software development, more than any other discipline, is where the largest gap between risk and response attention by the information security profession exists," researchers wrote.
A lack of involvement
Just 12 percent of information security professionals reported being personally involved in software development, while 20 percent said they were involved in procurement. Approximately 50 percent said someone other than themselves was involved in development, procurement and outsourcing. Even for those who are involved, there is a significant drop-off from the share who participate in specifying requirements to the share who confirm if objectives are met. According to Richard Nealon, co-chairman of the (ISC)2 EMEA Advisory Board, there is room for security professionals to increase their involvement in development.
"We are seeing a high number of incidents that have software vulnerabilities as a core component, but we don't have the training to go in and get more involved in the development lifecycle," Nealon told Computerworld UK. "There is a huge opportunity for security professionals in the industry to get more involved … Mostly what we get involved with at the moment is setting the requirements for the software, and that's pretty much it. Most of us don't see it as our bread and butter, as our focus is traditionally governance and risk management. We have very few professionals that are primarily involved in developing secure software."
Strategies for improvement
According to the survey, the concern over secure software development increases with company size, which researchers speculated is due to the fact that larger companies develop more applications. As company size increased, respondents also tended to rank the importance of secure development higher as compared to software and hardware security solutions. In general, among respondents from companies of all sizes, secure development was seen as more important than software or hardware solutions.
The stages of development most often highlighted for security concerns included design (71 percent), requirement specification (69 percent) and testing, debugging or validation (65 percent). Involving security professionals at each of these stages, as Nealon suggested, can help reduce issues, but often the manpower is not available – 56 percent of organizations claimed their security team is too small. Automated tools such as static analysis software provide a way to implement more security checks without adding significant human resources. By building source code analysis techniques into the development process, organizations can help reduce the threat of application vulnerabilities.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.