Developers still need to better integrate security into their development practices from the earliest stages, according to “The Software Security Risk Report,” a recently published Forrester Research study conducted to examine app security and testing practices.
The study’s respondents—240 North American and European software development influencers from companies that develop Web apps—cited a lack of security technologies suitable for development among the reasons why 51% of them had at least one Web app security incident in the prior 18 months.
“The survey found that software security-related incidents are still common and the consequences can be severe,” said Chenxi Wang, VP and principal analyst at Forrester and author of the report. “Software security practices, generally speaking, are far from mature. Many companies are still struggling with eliminating the most basic security flaws.”
The study, commissioned by development testing tool provider Coverity, found that security incidents are still both prevalent and expensive; code volumes and business demands often sideline security; too few companies employ secure development practices; and developers struggle with legacy security tools. “In general, we see misaligned goals for developers and the security side of the house,” Wang said. “This can lead to challenges (when trying) to embed security measures upstream in the development process.”
According to the report, security risks are still present and the problem is not going away. The No. 1 reason given—from 79% of the survey respondents who had breaches—was that they can’t keep up with the quantity of code. “It’s similar to the cost-quality-time triangle,” said Jennifer Johnson, VP of marketing at Coverity. “You just replace quality for security. If you have to get to market faster, it’s all about more features and faster time to market. But code is exploding and software complexity is increasing. If development doesn’t have the right technology to address these problems, they can’t keep up. There’s no way that they’re going to effectively address security in development.”
The most important thing to remember, according to Johnson, is that this report highlights that security all starts and ends with development. “Developers are the ones that write the code and, ultimately, they’re the ones that need to fix the problems when they come back downstream,” she said. ”Developers need to be part of the solution and take responsibility for security. But the solution is not about force-fitting security tools into development but, rather, actually giving developers tools that are accurate, actionable and that fit into their workflow.”
Wang agreed that software security maturity won’t happen without development being involved. Development managers play a critical role here. “They can get developers engaged and can set goals to encourage cross-role collaboration to enhance application security measures,” he said. “Therefore, it is extremely important for dev managers to realize the state of software security risk and how they can help.”
Protecting intellectual property
Wang explained how software development managers could better protect their company’s code (which is also their intellectual property) in light of all the security breaches that happen. “Development managers would do their companies a service by incorporating good security measures in their development practices. This will help reduce expensive downstream work to chase down security vulnerabilities as well as costly incident response actions,” he said.
Of course, protecting company intellectual property requires more than just software security. For example, operational procedures, network security, and good runtime threat detection capabilities all come into play, Wang said. “But software security is a necessary component in your defense arsenal. Without that, it’s like having your front door wide open: The best network security on the planet won’t protect your intellectual property.”