The marketplace is beginning to pinch the software industry for application security failings and complications, according to a new Dark Reading study.
Sixty-one percent of respondents to the survey, released today, stated that security concerns about one application have caused them to migrate to an alternative. Twenty-seven percent swapped one commercial off-the-shelf (COTS) application for another. Others migrated over to a COTS solution, leaving behind either open source (6%) or in-house developed (16%) tools. However, 12% dropped their commercial software altogether, in favor of either open source or in-house developed apps.
Why the changes? Some of the reasons are familiar.
For example, internal dev teams may be poorly trained on secure coding and be liable to run into business conflicts with their counterparts in the security department. When asked to name the biggest risk to appsec, the No. 1 answer was "developers untrained in security," cited by 38% of respondents. This worry persists despite a majority of respondents giving positive reviews of the relationship between these two teams.
And, of course, commercial software vendors' security records vary widely; while one may have a large dedicated security team, supported by a bug-bounty program and a reliable process for issuing patches and updates, another may have none of those things and leave bugs unfixed for years. Similarly, open source communities vary in the kind of support they provide.
Some reasons, however, are less familiar. Recently, new security challenges have arisen to further complicate the choices that businesses make about applications.
For example, this year the United States, citing national security concerns, prohibited the use of technologies from Chinese tech giant Huawei, as well as surveillance technologies from other Chinese companies. In 2017, the administration ordered the removal of Kaspersky Lab cybersecurity tools from all federal systems for similar reasons.
Meanwhile, attacks exploiting vulnerabilities in open source code libraries have increased -- and while that might initially make open source applications appear less attractive, these components are also frequently used by internal development teams and commercial software vendors alike. Fortunately, most respondents have a process in place to repair vulnerabilities in open source software components, though 21% admit to being "completely at a loss."