Security Starts at the Top
Security Starts at the Top
The culture connection gets real as experts agree that secure software development requires a new mindset across the board.
Join the DZone community and get the full member experience.Join For Free
Global Study Identifies Existing Organizational Culture as a Key Hurdle for Companies to Overcome in Order to Thrive in Digital Economy
Thanks to Chris Wysopal, CTO at Veracode, now part of CA Technologies for discussing the results following the second phase of a global survey of more than 1,200 IT leaders around the topic of secure software development. Conducted by IT industry analyst firm Freeform Dynamics, the new report highlights the influence of an organization’s culture on its ability to integrate security practices into their software development initiatives, a practice and approach commonly known as DevSecOps.
According to Chris, CEOs will need to say "security is job one" if it will ever take precedence over speed to market. Headlines are not turning into action.
Today’s digital economy is fueled by software. When software is developed with security integrated from the start, the risk of data breaches is greatly diminished, providing users with heightened levels of confidence and trust when engaging with applications and services that are so ubiquitous in our online world.
According to survey respondents, the majority confirmed that software development supports growth and expansion, helps businesses compete, and drives digital transformation. And yet, the findings show that, as software becomes more critical to business success in the digital economy, security concerns are exponentially on the rise. In fact, 74% of respondents agreed that security threats due to software and code issues are a growing concern. CA Veracode’s State of Software Security Report 2017 found that vulnerabilities continue to crop up in previously untested software at alarming rates, with 77% of apps having at least one vulnerability on the initial scan.
Creating a culture of secure software development is a major challenge, according to the survey findings. An overwhelming 58% of respondents cited existing culture and lack of skills as hurdles to being able to embed security testing and evaluation within software development processes. Only 24% strongly agreed that the organization’s culture and practices supported collaboration across development, operations, and security. On top of cultural limitations, less than a quarter of respondents strongly agreed that senior management would sacrifice time to market in order to have sufficient time to assess and repair software security vulnerabilities.
According to Chris, the skills deficit needs to be addressed at the developer and Scrum Master level with an honest assessment of whether or not they have the necessary skills to think through the security of what they are building, writing tests, and testing. If they have a question, do they have a resource they can tap into? Education and remediation consulting are necessary for everyone involved in application development. If there are no experts on staff, organizations need to identify third-party security experts their developers can connect with in a timely manner to get security issues resolved as early in the SDLC as possible.
“Security is a key principle in any modern software factory. While our survey findings confirm an overarching recognition of the importance of ensuring that data and systems are built and maintained securely, there is still a lack of cultural adoption within organizations around this pressing issue,” said Ayman Sayed, president and chief product officer of CA Technologies. “When coupled with security, Intelligent IT – the use of AI, machine learning, and analytics to make better, more informed decisions – can dramatically change the way that business is done.”
The report showcases characteristics of “Software Security Masters” (which comprised the top 34% of respondents), which are organizations that have been able to fully integrate security into their software development lifecycles. This includes conducting early and continuous application testing for security vulnerabilities, as well as embracing the practice of DevSecOps.
In fact, when compared with the mainstream, 2.4x more Software Security Masters strongly agreed that in addition to protecting a company’s data and systems, they viewed security as an enabler of new business opportunities, and exhibited the following attributes:
50% higher profit growth.
40% higher revenue growth.
2.6x more likely to have security testing keep up with frequent app updates.
2.5x more likely to be outpacing competitors.
“The organizations labeled as Software Security Masters are the beacons of hope in today’s digital economy. Not only do they exemplify and represent the cultural mindset necessary to adapt and thrive in today’s dynamic market, they are influencing change within the industry while shaping the workplace of the future,” concluded Sayed.
If 40% higher revenue growth and 50% higher profit growth doesn't attract the attention of the C-suite, the board, and investors, what will?
Opinions expressed by DZone contributors are their own.