Forrester: Companies still not using secure practices
September 20, 2012 —
(Page 1 of 2)
Related Search Term(s): software development, security, tools
Developers still need to better integrate security into their development practices from the earliest stages, according to “The Software Security Risk Report,” a recently published Forrester Research study conducted to examine app security and testing practices.
The study’s respondents—240 North American and European software development influencers from companies that develop Web apps—cited a lack of security technologies suitable for development among the reasons why 51% of them had at least one Web app security incident in the prior 18 months.
“The survey found that software security-related incidents are still common and the consequences can be severe,” said Chenxi Wang, VP and principal analyst at Forrester and author of the report. “Software security practices, generally speaking, are far from mature. Many companies are still struggling with eliminating the most basic security flaws.”
The study, commissioned by development testing tool provider Coverity, found that security incidents are still both prevalent and expensive; code volumes and business demands often sideline security; too few companies employ secure development practices; and developers struggle with legacy security tools. “In general, we see misaligned goals for developers and the security side of the house,” Wang said. “This can lead to challenges (when trying) to embed security measures upstream in the development process.”
According to the report, security risks are still present and the problem is not going away. The No. 1 reason given—from 79% of the survey respondents who had breaches—was that they can’t keep up with the quantity of code. “It’s similar to the cost-quality-time triangle,” said Jennifer Johnson, VP of marketing at Coverity. “You just replace quality for security. If you have to get to market faster, it’s all about more features and faster time to market. But code is exploding and software complexity is increasing. If development doesn’t have the right technology to address these problems, they can’t keep up. There’s no way that they’re going to effectively address security in development.”
The most important thing to remember, according to Johnson, is that this report highlights that security all starts and ends with development. “Developers are the ones that write the code and, ultimately, they’re the ones that need to fix the problems when they come back downstream,” she said. ”Developers need to be part of the solution and take responsibility for security. But the solution is not about force-fitting security tools into development but, rather, actually giving developers tools that are accurate, actionable and that fit into their workflow.”