|Symantec's Brad Arkin|
Awareness of the importance of application security has jumped significantly in just a few years, and it is top of mind for the majority of those surveyed recently by Symantec Corp. But the implementation of secure coding practices, as well as formal education, still have a way to go, according to the survey results.
Among the 400 U.S.-based software developers surveyed by Applied Research on behalf of Cupertino, Calif.-based Symantec, 93% indicated that secure application development is more of a priority now than three years ago.
"That's an overwhelming number, and it fits with what I'm seeing in the field. Pretty much everyone, regardless of what they thought three years ago, thought it was a bigger deal now," said Brad Arkin, senior manager of Symantec Security Learning Services. "They are either now focused on it and working hard to fix the problem, or they're aware and know they need to address it."
In fact, according to the survey, 35% of respondents cite security as their number one priority, while 39% rank it number two.
The big driver for this change in awareness is the threat landscape, Arkin said. "Our threat report has shown a trend that application security vulnerabilities are increasing and growing faster than any other category of vulnerability. The bad guys out there are taking the path of least resistance."
For most organizations today, he said, "operating systems are configured correctly, they've got good network firewalls, so the application becomes the weakest point. And it's where the bad guys are spending their energy."
Arkin noted that in addition to increasing vulnerabilities, changes in the regulatory environment are also driving awareness. Today, he said, "if you have a data security breach you need to inform your customers. In the past, your company might've been able to tuck it away. Because of changes in the regulatory environment, organizations are proactively saying, 'What can we do to make sure we do not end up in the newspaper?'"
Along with increasing awareness, corporate commitment to application security is on the rise. When asked to what degree do business leaders and senior staff consider security to be a priority, on a scale of 1 to 5, 23% of respondents indicate that security is a top priority (1), while 37% weight it as a 2.
However, time-to-market pressures still loom large as a barrier to corporate commitment. For example, only 12% of respondents say security always takes priority compared with meeting competitive deadlines, and another 30% say security usually takes priority. For another 30% of respondents, security and deadline pressures are about equal, while for 12% competitive pressures always take priority.
And building security into the software development life cycle is still not a given at most organizations. Only 29% of respondents say security is always part of the development process.
When vulnerabilities in code are found, 63% of respondents utilize a process to remediate vulnerabilities only some of the time, 30% always remediate vulnerabilities, and 7% never do. And while 65% of respondents include security testing as part of the QA process, Arkin said that seems high based on his experience.
"A lot of organizations may have good intentions about security testing, but it comes down to they don't know how or there are not enough people, so it may get pushed aside," he said.
Security training important
But organizations are showing a commitment to security training. According to the survey, 68% of respondents indicated that their employer emphasized or required continuing education around secure coding, while 32% said their employers do not.
"The good news is that ongoing education and training are being promoted," Arkin said. "The majority of organizations are pushing it and making it available, whether through formal [programs] or on-the-job training. In our experience [application security] requires a steady, consistent education program. It gives me a good feeling that the tide is turning and organizations are starting to take the right steps to address the problem."
But consistent, formalized education in secure coding is still lacking throughout the industry. On-the-job security training is the most common method, according to 66% of respondents. Just 40% have received formal training by their employers, and 11% have received no training. And only 27% have received training in secure coding as part of their undergraduate education.
According to Arkin, the survey results present a good news/bad news scenario. "The good news is there's progress, but the bad news, or the flip side, is we're not there yet. It's great the numbers are higher, but we're still not getting the coverage we need to protect sensitive data and applications."