New Research From EMA Reveals How Organizations Are Struggling to Develop Secure Software Applications
Research shows that over 50% of organizations performing software development struggle with fully integrating security into their software development lifecycle.
January 19, 2023
PRESS RELEASE
BOULDER, Colo. , Jan. 19, 2023 /PRNewswire-PRWeb/ -- Enterprise Management
Associates (EMA(TM)), a leading IT and data management research and consulting
firm, has released a new research report, "Secure Coding Practices - Growing
Success or Zero-Day Epidemic?" authored by Christopher M. Steffen, managing
research director of security and risk management at EMA, and Ken Buckler,
research analyst covering security and risk management at EMA.
From 2015 to 2021, the number of new vulnerabilities per year in the National
Vulnerability Database grew from 6,487 to 20,139.* This increase in
vulnerabilities may be due to a significant skills gap when it comes to secure
software development. In 2019, a review of the top 20 computer science schools
found that out of all the schools listed, only one listed security as an
undergraduate degree requirement for computer science.** Simply put, software
developers are not being taught secure coding practices at colleges and
universities, and with a significant number of organizations failing to invest
in any secure coding training whatsoever, even some of the most seasoned
developers in the industry may have little to no awareness of secure coding
concepts.
EMA surveyed 129 professionals across multiple industry verticals, seeking to
understand how organizations are tackling the challenge of developing secure
software applications. The results revealed that over half of organizations
performing software development struggle with fully integrating security into
their software development lifecycle (SDLC), and many organizations are failing
to make critical investments in enhancing the security knowledge of their
development teams.
Some of the key findings include:
-- 69.3% of organizations have SDLCs that miss critical security steps.
This includes 45.3% of organizations that do not have a dedicated
validation step in their security SDLC, 20% of organizations that do
not have a dedicated planning step, and 4% that do not have a
dedicated implementation step.
-- 100% of organizations using a combination of code reviews, code
scanning tools, and third-party training saw improvement in their code
security.
-- Only 75% of organizations not using training saw improvement in their
code security.
All too often when it comes to cybersecurity, the human element is the most
overlooked component of any system. With lowest adoption rates (54%) and highest
code security improvement rates (100%), third-party training appears to be the
critical component in which some organizations are failing to invest.
"The human element is the first and last line of defense when it comes to any
cybersecurity program," said Buckler. "The rapidly growing number of software
vulnerabilities discovered per year clearly outlines the need for better
cybersecurity practices from the ground up. This includes developing secure
applications from the start through investing in improving the secure coding
practices of the industry's software development workforce."
A detailed analysis of the research findings is available in the report, "Secure
Coding Practices - Growing Success or Zero-Day Epidemic?"
EMA will reveal highlights from the report during the free February 7th webinar,
"Secure Coding Practices - Growing Success or Zero-Day Epidemic?"
Security Journey sponsored this independent research report. Security Journey
offers robust application security education tools to help developers and the
entire SDLC team recognize and understand vulnerabilities and threats to
proactively mitigate these risks.
You May Also Like