Table of Contents
Executives in charge of their organization’s data and infrastructure security have concerns. Top of the list is application vulnerabilities; that is, the looseness in application software code and logic that provide attackers the means and opportunity to pursue their nefarious activities (e.g., exfiltrate valuable data, steal intellectual property, disrupt operations, and damage the victim’s public reputation). Confirming this concern is a 2012 global survey of information security professionals, commissioned by (ISC)2 and conducted by Frost & Sullivan.
As shown in this chart, percent of security executives rated application vulnerabilities as either a top or high concern. This number one ranking is not exclusive to security executives. Near equal levels of concern were expressed by all categories of security professionals (e.g., security architects, auditors, managers, and security analysts) regardless of industry vertical and company size. In other words, application vulnerabilities are a recognized, pervasive, and significant security concern.
Reducing the number and severity of application vulnerabilities during software development would seem to be the most logical remedy to this situation. Yet, as discussed in this SPIE, involvement in secure software development by security professionals pales relative to their level of concern over application vulnerabilities. Additionally, form and function priorities for application developers keep secure software development at the low end of their priority ladders.
These points notwithstanding, there is reason to be optimistic that secure software development will gain increasing favor among application development and security teams. While far from an immediate sea-change, several factors described in this SPIE are coalescing to move the needle on secure software development.
Limited Involvement in Secure Software Development
As stated in the Introduction, security professionals are not extensively involved in secure software development. This is not to say that there are no security professionals deeply engaged; rather, the degree of involvement pales when compared to the degree of concern expressed by the community of security professionals.
From the survey, there are two prominent data points that highlight this community’s limited involvement. First is how much and where they are involved in software development. The survey points to low personal involvement—only percent of the surveyed security professionals state that they are personally involved in software development; and percent indicated that they are involved in software procurement. Their involvement is, as shown in this chart, also not uniform across the multiple stages of software lifecycle, and is heaviest in specifying requirements. With the potential of application vulnerabilities being introduced at all stages in the software lifecycle, and severity being a function of the evolving threat environment (i.e., through persistence and time, attackers discover vulnerabilities and learn how best to exploit them), this non-uniformity in security professionals’ engagement is disconcerting.
With only a small set of security professionals personally active in either secure software development or software procurement, the question is: which security operations activities are consuming their time and talents? That answer is shown in the chart at the left, which leads to another question. If more attention was placed on secure software development by security professionals, might the time spent on these other security operations activities be reduced? Potentially yes; but the time spent must also be effective; and that requires knowledge and skill—which leads to the second data point on security professionals’ limited involvement in secure software development.
Here too, the survey responses are not promising that the community of security professionals has the set of skills necessary to be effective. Only one percent of the surveyed security professionals claim to have the Certified Secure Software Lifecycle Professional (CSSLP) certification. For a profession that emphasizes certification as a demonstration of proficiency, this too is disconcerting on the effectiveness of security teams in ensuring that applications are designed to operate securely.
Get Industry Insights. Simply.
Talk to Veronica
+1 718 514 2762
Use this report to: - Gain information about internet of things (IOT) and its impact on the prospects of antennas. - Learn about various concepts and terminologies related to antennas. - Gain an insight ...
Use this report to: - Understand the underlying operating system and the way it shapes the global mobile applications market. - Learn about the various software development kits offered by manufacturers ...
“Increasing BYOD trend is driving the growth” MarketsandMarkets estimates the global mobile Business Intelligence (BI) market to grow from USD 4.08 billion in 2016 to USD 11.13 billion by 2021, at ...